Edit tour

Windows Analysis Report
P2V7Mr3DUF.exe

Overview

General Information

Sample name:	P2V7Mr3DUF.exe renamed because original name is a hash value
Original sample name:	110012cdf8fae9fdf6a917ce78ea93ca.exe
Analysis ID:	1586507
MD5:	110012cdf8fae9fdf6a917ce78ea93ca
SHA1:	d290732f03ffa047ab80ead03305a797b0ba3e77
SHA256:	66544fcaa9e5fd43b2250477fc3bcddd1059718b28fdbc3d8b6723943928a483
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

P2V7Mr3DUF.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\P2V7Mr3DUF.exe" MD5: 110012CDF8FAE9FDF6A917CE78EA93CA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["crowdwarek.shop", "letterdrive.shop", "robinsharez.shop", "chipdonkeruz.shop", "soundtappysk.shop", "apporholis.shop", "femalsabler.shop", "handscreamny.shop", "versersleep.shop"], "Build id": "LOGS11--6969"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:13.205078+0100	2028371	3	Unknown Traffic	192.168.2.7	49699	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.462291+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.7	57437	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.502453+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.7	60374	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.472358+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.7	62182	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.422948+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.7	51993	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.520722+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.7	50040	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.530838+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.7	50277	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.412269+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.7	63559	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:12.482080+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.7	64220	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:43:13.836799+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49699	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: P2V7Mr3DUF.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://femalsabler.shop/api	Avira URL Cloud: Label: malware
Source: https://soundtappysk.shop/	Avira URL Cloud: Label: malware
Source: https://femalsabler.shop/	Avira URL Cloud: Label: malware
Source: https://femalsabler.shop/p9S	Avira URL Cloud: Label: malware
Source: letterdrive.shop	Avira URL Cloud: Label: malware
Source: https://femalsabler.shop/p8S	Avira URL Cloud: Label: malware

Found malware configuration

Source: P2V7Mr3DUF.exe.6496.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["crowdwarek.shop", "letterdrive.shop", "robinsharez.shop", "chipdonkeruz.shop", "soundtappysk.shop", "apporholis.shop", "femalsabler.shop", "handscreamny.shop", "versersleep.shop"], "Build id": "LOGS11--6969"}

Multi AV Scanner detection for submitted file

Source: P2V7Mr3DUF.exe	Virustotal: Detection: 48%			Perma Link
Source: P2V7Mr3DUF.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: P2V7Mr3DUF.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: handscreamny.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: versersleep.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: crowdwarek.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: apporholis.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: femalsabler.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: soundtappysk.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: letterdrive.shop
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp	String decryptor: LOGS11--6969

Source: P2V7Mr3DUF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, edx	0_2_00E7B2B0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_00E7C334
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_00EAF0E0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00E97070
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_00E7A05C
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00E8B184
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00E9B170
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00E8B173
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_00E8F2A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, eax	0_2_00E98280
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00E8B243
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00E72210
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	0_2_00E7C3EC
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then jmp ecx	0_2_00E7D334
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00E92380
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00E8B484
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00E97490
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, eax	0_2_00EB2470
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_00EB042D
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, eax	0_2_00EB042D
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov eax, edi	0_2_00E8C400
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00E87405
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00E87405
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov edx, ecx	0_2_00E87405
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then push edi	0_2_00EAC5A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_00EAC5A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00EA8520
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00E8B667
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, dword ptr [00EBC548h]	0_2_00E88672
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00E9B652
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00E77620
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00E77620
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_00EB27B0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov esi, ecx	0_2_00E85720
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, eax	0_2_00E85720
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then jmp eax	0_2_00EB18A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00E8B882
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_00EAB870
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov edx, ecx	0_2_00EAB870
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00E89840
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_00E9D830
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then test esi, esi	0_2_00EAC9A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E8A900
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00E95AF0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ebx, eax	0_2_00E75AB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ebp, eax	0_2_00E75AB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00E9EA62
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, eax	0_2_00E7AA36
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ebx, edx	0_2_00E9DBF0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ecx, eax	0_2_00EB0BAB
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_00E8BBA0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00E9EBA1
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_00E9BBA0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00E9EBB3
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00EB1BB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00E9EB5F
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_00E8AB2A
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00E8BB21
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00EB1B20
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00E9BB00
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00E96C76
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00EB1C40
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00E84C20
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00E95D6A
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00EB2D20
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_00E8BEE1
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00E8AEFF
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then jmp ecx	0_2_00E7CEC7
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00E86ED0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00E79E09
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_00E7DFE2
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_00E7DFE2
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_00E78F90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.7:50040 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.7:62182 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.7:63559 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.7:60374 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.7:57437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.7:51993 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.7:50277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.7:64220 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49699 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: letterdrive.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: versersleep.shop

Source: global traffic

TCP traffic: 192.168.2.7:63344 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Iq+Iq(Cq@CqContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=6f98276bb16ed8854225a9c6; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 09 Jan 2025 07:43:13 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: letterdrive.shop
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://femalsabler.shop/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1227769938.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://femalsabler.shop/api
Source: P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://femalsabler.shop/p8S
Source: P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://femalsabler.shop/p9S
Source: P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/p
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242688965.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243373569.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242551637.00000000006A3000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242551637.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243477862.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242551637.000000000069D000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49699 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: P2V7Mr3DUF.exe	Static PE information: section name:
Source: P2V7Mr3DUF.exe	Static PE information: section name: .idata
Source: P2V7Mr3DUF.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E7B2B0	0_2_00E7B2B0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E78880	0_2_00E78880
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8D0C0	0_2_00E8D0C0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F	0_2_0102C14F
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0130A1A3	0_2_0130A1A3
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E97070	0_2_00E97070
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E76000	0_2_00E76000
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E821DB	0_2_00E821DB
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0101C048	0_2_0101C048
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9B170	0_2_00E9B170
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EAF150	0_2_00EAF150
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E97133	0_2_00E97133
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E95100	0_2_00E95100
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_010420FF	0_2_010420FF
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E792A0	0_2_00E792A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E742B0	0_2_00E742B0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8825B	0_2_00E8825B
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E763C0	0_2_00E763C0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_01031232	0_2_01031232
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E92380	0_2_00E92380
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E78360	0_2_00E78360
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EAA4EF	0_2_00EAA4EF
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00FE04E5	0_2_00FE04E5
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA54C4	0_2_00EA54C4
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA74AB	0_2_00EA74AB
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB2470	0_2_00EB2470
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA2426	0_2_00EA2426
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA443D	0_2_00EA443D
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E98437	0_2_00E98437
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8C400	0_2_00E8C400
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8D400	0_2_00E8D400
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E87405	0_2_00E87405
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_010405FF	0_2_010405FF
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EAC5A0	0_2_00EAC5A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E7D545	0_2_00E7D545
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0103B4FE	0_2_0103B4FE
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E886FC	0_2_00E886FC
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8F6D0	0_2_00E8F6D0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB768E	0_2_00EB768E
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8A690	0_2_00E8A690
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E77620	0_2_00E77620
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB5620	0_2_00EB5620
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA6610	0_2_00EA6610
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E957E0	0_2_00E957E0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB27B0	0_2_00EB27B0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E79790	0_2_00E79790
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E85720	0_2_00E85720
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102F935	0_2_0102F935
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0103493E	0_2_0103493E
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB18A0	0_2_00EB18A0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E97860	0_2_00E97860
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EAB870	0_2_00EAB870
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E89840	0_2_00E89840
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E76850	0_2_00E76850
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EAF820	0_2_00EAF820
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA080E	0_2_00EA080E
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00FB49FE	0_2_00FB49FE
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9A9F7	0_2_00E9A9F7
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E7E9B0	0_2_00E7E9B0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_01038878	0_2_01038878
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8194F	0_2_00E8194F
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA9923	0_2_00EA9923
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_010288D4	0_2_010288D4
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA3930	0_2_00EA3930
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E73900	0_2_00E73900
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E95AF0	0_2_00E95AF0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E99ADE	0_2_00E99ADE
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8DAD0	0_2_00E8DAD0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E75AB0	0_2_00E75AB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0103EB60	0_2_0103EB60
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E7CA62	0_2_00E7CA62
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB2A60	0_2_00EB2A60
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9EA62	0_2_00E9EA62
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_01043BC3	0_2_01043BC3
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9DBF0	0_2_00E9DBF0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8BBA0	0_2_00E8BBA0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9EBA1	0_2_00E9EBA1
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9BBA0	0_2_00E9BBA0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9EBB3	0_2_00E9EBB3
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB1BB0	0_2_00EB1BB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_01039A75	0_2_01039A75
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA7B69	0_2_00EA7B69
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E98B67	0_2_00E98B67
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EACB40	0_2_00EACB40
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9EB5F	0_2_00E9EB5F
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E72B20	0_2_00E72B20
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB1B20	0_2_00EB1B20
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA2B24	0_2_00EA2B24
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA4CEF	0_2_00EA4CEF
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00F49CE8	0_2_00F49CE8
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E9FCBC	0_2_00E9FCBC
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8DCB0	0_2_00E8DCB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EAACB0	0_2_00EAACB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E96C76	0_2_00E96C76
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB1C40	0_2_00EB1C40
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E84C20	0_2_00E84C20
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EE3DCA	0_2_00EE3DCA
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E74DC0	0_2_00E74DC0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E90D90	0_2_00E90D90
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E95D6A	0_2_00E95D6A
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB2D20	0_2_00EB2D20
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EACD27	0_2_00EACD27
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA5D13	0_2_00EA5D13
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8BEE1	0_2_00E8BEE1
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E93EFF	0_2_00E93EFF
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E72EF0	0_2_00E72EF0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E86ED0	0_2_00E86ED0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_01084F52	0_2_01084F52
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EA1E8E	0_2_00EA1E8E
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E91E70	0_2_00E91E70
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E7AE30	0_2_00E7AE30
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E7DFE2	0_2_00E7DFE2
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E7CFEC	0_2_00E7CFEC
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E99FE4	0_2_00E99FE4
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_01032E0C	0_2_01032E0C
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00EB1FB0	0_2_00EB1FB0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E8AF24	0_2_00E8AF24
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_00E97F30	0_2_00E97F30

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: String function: 00E84C10 appears 116 times
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: String function: 00E78170 appears 45 times

Source: P2V7Mr3DUF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P2V7Mr3DUF.exe	Static PE information: Section: ZLIB complexity 0.9977090703616353
Source: P2V7Mr3DUF.exe	Static PE information: Section: moxejxev ZLIB complexity 0.994248147307925

Source: P2V7Mr3DUF.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/1

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Code function: 0_2_00EA54C4 CoCreateInstance,

0_2_00EA54C4

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: P2V7Mr3DUF.exe	Virustotal: Detection: 48%
Source: P2V7Mr3DUF.exe	ReversingLabs: Detection: 57%

Source: P2V7Mr3DUF.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

File read: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Jump to behavior

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Section loaded: dpapi.dll	Jump to behavior

Source: P2V7Mr3DUF.exe

Static file information: File size 1871360 > 1048576

Source: P2V7Mr3DUF.exe

Static PE information: Raw size of moxejxev is bigger than: 0x100000 < 0x19d400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Unpacked PE file: 0.2.P2V7Mr3DUF.exe.e70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;moxejxev:EW;ttihhytk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;moxejxev:EW;ttihhytk:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: P2V7Mr3DUF.exe

Static PE information: real checksum: 0x1d3a58 should be: 0x1c90f7

Source: P2V7Mr3DUF.exe	Static PE information: section name:
Source: P2V7Mr3DUF.exe	Static PE information: section name: .idata
Source: P2V7Mr3DUF.exe	Static PE information: section name:
Source: P2V7Mr3DUF.exe	Static PE information: section name: moxejxev
Source: P2V7Mr3DUF.exe	Static PE information: section name: ttihhytk
Source: P2V7Mr3DUF.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 1545E3ADh; mov dword ptr [esp], ebx	0_2_0102C181
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 4385D7C0h; mov dword ptr [esp], edx	0_2_0102C1C9
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 6401506Bh; mov dword ptr [esp], eax	0_2_0102C234
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push esi; mov dword ptr [esp], edx	0_2_0102C327
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 3FD50980h; mov dword ptr [esp], eax	0_2_0102C41B
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 5F609C29h; mov dword ptr [esp], ebx	0_2_0102C423
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edi; mov dword ptr [esp], ebx	0_2_0102C53F
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edi; mov dword ptr [esp], 12727E95h	0_2_0102C560
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edx; mov dword ptr [esp], edi	0_2_0102C5C1
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edx; mov dword ptr [esp], 7DCF9CE8h	0_2_0102C5ED
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edi; mov dword ptr [esp], edx	0_2_0102C614
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 20DB8661h; mov dword ptr [esp], eax	0_2_0102C697
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push ebx; mov dword ptr [esp], esp	0_2_0102C69E
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push ebp; mov dword ptr [esp], eax	0_2_0102C6AD
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edi; mov dword ptr [esp], 2F6D9BB5h	0_2_0102C70C
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 2F48C5C9h; mov dword ptr [esp], ecx	0_2_0102C7DE
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 56BED39Bh; mov dword ptr [esp], esp	0_2_0102C848
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edx; mov dword ptr [esp], 33F6AA5Eh	0_2_0102C882
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push ecx; mov dword ptr [esp], edx	0_2_0102C8C5
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edi; mov dword ptr [esp], eax	0_2_0102C8D1
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push esi; mov dword ptr [esp], edi	0_2_0102C8FE
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push esi; mov dword ptr [esp], ecx	0_2_0102C94D
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 1422C391h; mov dword ptr [esp], eax	0_2_0102C988
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push esi; mov dword ptr [esp], eax	0_2_0102C98C
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push ebx; mov dword ptr [esp], eax	0_2_0102C9E0
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push eax; mov dword ptr [esp], 6F9F1CB4h	0_2_0102CA7B
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 589A655Bh; mov dword ptr [esp], ebp	0_2_0102CAF2
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push esi; mov dword ptr [esp], ebp	0_2_0102CBD3
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push esi; mov dword ptr [esp], ecx	0_2_0102CC6C
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push 5CAA8A64h; mov dword ptr [esp], esi	0_2_0102CC9B
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Code function: 0_2_0102C14F push edx; mov dword ptr [esp], ecx	0_2_0102CD15

Source: P2V7Mr3DUF.exe	Static PE information: section name: entropy: 7.98200153000811
Source: P2V7Mr3DUF.exe	Static PE information: section name: moxejxev entropy: 7.9537846812043025

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: ECABB3 second address: ECABB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1048981 second address: 1048985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1048985 second address: 1048989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1048989 second address: 104899B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F0BBD2F3606h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 104899B second address: 10489BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0BBCC73079h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10489BC second address: 10489F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3619h 0x00000007 jmp 00007F0BBD2F360Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f jl 00007F0BBD2F3618h 0x00000015 push edi 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10489F0 second address: 10489F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10401B0 second address: 10401B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10401B6 second address: 10401BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1047B77 second address: 1047B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1047E81 second address: 1047E85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 104B831 second address: 104B84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0BBD2F3610h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 104B84D second address: 104B90C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC73077h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jnc 00007F0BBCC73077h 0x00000012 jmp 00007F0BBCC73071h 0x00000017 pushad 0x00000018 jmp 00007F0BBCC7306Dh 0x0000001d jmp 00007F0BBCC7306Eh 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 jmp 00007F0BBCC7306Ah 0x0000002e jo 00007F0BBCC7307Bh 0x00000034 jmp 00007F0BBCC73075h 0x00000039 popad 0x0000003a pop eax 0x0000003b or edx, 1785F417h 0x00000041 lea ebx, dword ptr [ebp+1245447Bh] 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007F0BBCC73068h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 00000015h 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 sub dword ptr [ebp+122D36ABh], ebx 0x00000067 jnc 00007F0BBCC7306Bh 0x0000006d mov edi, 15129BACh 0x00000072 xchg eax, ebx 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 104B90C second address: 104B910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 104BA35 second address: 104BAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC7306Bh 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push ecx 0x0000000e je 00007F0BBCC73066h 0x00000014 pop ecx 0x00000015 ja 00007F0BBCC73073h 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jbe 00007F0BBCC73078h 0x00000026 jng 00007F0BBCC73072h 0x0000002c jmp 00007F0BBCC7306Ch 0x00000031 pop eax 0x00000032 sub dword ptr [ebp+122D36B9h], esi 0x00000038 call 00007F0BBCC73070h 0x0000003d clc 0x0000003e pop ecx 0x0000003f lea ebx, dword ptr [ebp+12454486h] 0x00000045 jnl 00007F0BBCC7306Ch 0x0000004b xchg eax, ebx 0x0000004c jl 00007F0BBCC73074h 0x00000052 jmp 00007F0BBCC7306Eh 0x00000057 push eax 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 104BAC6 second address: 104BACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 104BACA second address: 104BACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106B2EA second address: 106B2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106B2EE second address: 106B321 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0BBCC73074h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F0BBCC73075h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10394ED second address: 103953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 je 00007F0BBD2F3606h 0x0000000c popad 0x0000000d jg 00007F0BBD2F3612h 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007F0BBD2F3619h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jc 00007F0BBD2F3608h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 jnp 00007F0BBD2F3608h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 103953E second address: 103955D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC73075h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F0BBCC73066h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 103955D second address: 1039561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1039561 second address: 1039567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10695D2 second address: 1069602 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0BBD2F3610h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0BBD2F3616h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069602 second address: 1069606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069606 second address: 1069610 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0BBD2F3606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069610 second address: 1069619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106978E second address: 1069797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069797 second address: 106979B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069A9D second address: 1069AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069AA1 second address: 1069ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC73077h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069ABE second address: 1069ADE instructions: 0x00000000 rdtsc 0x00000002 js 00007F0BBD2F3619h 0x00000008 jg 00007F0BBD2F3606h 0x0000000e jmp 00007F0BBD2F360Dh 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069F3D second address: 1069F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069F46 second address: 1069F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069F4C second address: 1069F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1069F50 second address: 1069F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0BBD2F3635h 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F0BBD2F3606h 0x00000014 jc 00007F0BBD2F3606h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106A0B2 second address: 106A0CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC73073h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106A0CE second address: 106A0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106A3C2 second address: 106A3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106A3C6 second address: 106A3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1039508 second address: 103953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jmp 00007F0BBCC73079h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007F0BBCC73068h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnp 00007F0BBCC73068h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106E724 second address: 106E728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 106E8DB second address: 106E8E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1076177 second address: 107619B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0BBD2F3606h 0x0000000a pop eax 0x0000000b jmp 00007F0BBD2F3619h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075873 second address: 107588B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0BBCC73066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0BBCC7306Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107588B second address: 1075891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075891 second address: 1075897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075897 second address: 10758B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBD2F3611h 0x00000009 jnp 00007F0BBD2F3606h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075A0F second address: 1075A2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F0BBCC7306Dh 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075A2D second address: 1075A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBD2F3616h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075A4E second address: 1075A53 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075D54 second address: 1075D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075D58 second address: 1075D5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1075ECB second address: 1075EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0BBD2F360Fh 0x0000000a jl 00007F0BBD2F3625h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1076010 second address: 1076014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1076014 second address: 1076018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107983E second address: 107985B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F0BBCC73068h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jnp 00007F0BBCC73074h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107985B second address: 107985F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107985F second address: 107986D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107986D second address: 1079871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1079871 second address: 107987B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0BBCC73066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107987B second address: 107988F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107988F second address: 10798E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0BBCC73068h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F0BBCC73068h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push ecx 0x00000028 pop edi 0x00000029 mov edi, dword ptr [ebp+122D1A39h] 0x0000002f push B775FEDAh 0x00000034 push esi 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F0BBCC73076h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10798E3 second address: 10798E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1079BBB second address: 1079BC8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BBCC73066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1079DC4 second address: 1079DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1079EE1 second address: 1079EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1079EE7 second address: 1079EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107A09A second address: 107A0AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBCC7306Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107A5ED second address: 107A5F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107A5F1 second address: 107A5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107A735 second address: 107A752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3619h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107AC4C second address: 107AC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107AC50 second address: 107AC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107AC54 second address: 107AC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107CC97 second address: 107CC9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107D821 second address: 107D825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107E262 second address: 107E268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107DFD8 second address: 107DFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC7306Fh 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jg 00007F0BBCC73066h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107E268 second address: 107E26C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1080219 second address: 1080221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1081CCF second address: 1081CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1081CD3 second address: 1081CD9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1030DEB second address: 1030DF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1084C83 second address: 1084C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1084C87 second address: 1084C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1084C8D second address: 1084C94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1084C94 second address: 1084C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1087123 second address: 1087166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F0BBCC73066h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+1247EB7Ah], ebx 0x00000013 push 00000000h 0x00000015 mov bl, 4Eh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F0BBCC73068h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov di, cx 0x00000036 mov dword ptr [ebp+122D2D3Fh], esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1089640 second address: 1089658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3614h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1089658 second address: 1089674 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F0BBCC7306Dh 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1089674 second address: 1089679 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108A849 second address: 108A84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108B938 second address: 108B940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108A84D second address: 108A861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC73070h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C652 second address: 108C656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108B940 second address: 108B946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108A861 second address: 108A888 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0BBD2F360Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0BBD2F3612h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C656 second address: 108C65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108A888 second address: 108A8A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3616h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C65C second address: 108C661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C661 second address: 108C667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108A8A2 second address: 108A949 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0BBCC73068h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F0BBCC73068h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F0BBCC73068h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 call 00007F0BBCC7306Eh 0x0000004d mov dword ptr [ebp+1245475Dh], ecx 0x00000053 pop ebx 0x00000054 mov dword ptr fs:[00000000h], esp 0x0000005b mov di, A601h 0x0000005f and ebx, 6B88DF26h 0x00000065 mov eax, dword ptr [ebp+122D175Dh] 0x0000006b mov dword ptr [ebp+122D18EEh], ebx 0x00000071 push FFFFFFFFh 0x00000073 jmp 00007F0BBCC7306Fh 0x00000078 nop 0x00000079 pushad 0x0000007a je 00007F0BBCC73068h 0x00000080 pushad 0x00000081 popad 0x00000082 push eax 0x00000083 push edx 0x00000084 jl 00007F0BBCC73066h 0x0000008a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108A949 second address: 108A94D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C667 second address: 108C71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F0BBCC73068h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jl 00007F0BBCC7306Dh 0x0000002a push edx 0x0000002b mov ebx, 038D20DAh 0x00000030 pop ebx 0x00000031 mov di, ax 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F0BBCC73068h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov ebx, dword ptr [ebp+122D1A1Eh] 0x00000056 call 00007F0BBCC73072h 0x0000005b or di, 46B9h 0x00000060 pop edi 0x00000061 push 00000000h 0x00000063 mov ebx, dword ptr [ebp+122D3A12h] 0x00000069 xchg eax, esi 0x0000006a jno 00007F0BBCC7307Ah 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F0BBCC73077h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C71E second address: 108C724 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108D883 second address: 108D88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F0BBCC73066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C89F second address: 108C8C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F0BBD2F360Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F0BBD2F3608h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C8C0 second address: 108C8CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0BBCC73066h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108C99C second address: 108C9A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108E8AF second address: 108E8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108E8B5 second address: 108E948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F0BBD2F3608h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 jmp 00007F0BBD2F3615h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F0BBD2F3608h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 mov edi, ebx 0x00000044 pushad 0x00000045 sub dword ptr [ebp+122D1A45h], eax 0x0000004b jmp 00007F0BBD2F360Eh 0x00000050 popad 0x00000051 push 00000000h 0x00000053 jne 00007F0BBD2F360Ch 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jnl 00007F0BBD2F360Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108E948 second address: 108E94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108F7C7 second address: 108F7D1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0BBD2F3606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108F87B second address: 108F897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBCC73078h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108EB18 second address: 108EB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBD2F3610h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F0BBD2F360Dh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108F897 second address: 108F89B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108EB40 second address: 108EB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 nop 0x00000007 xor edi, dword ptr [ebp+122D37EEh] 0x0000000d push dword ptr fs:[00000000h] 0x00000014 xor dword ptr [ebp+122D358Eh], ecx 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 or bh, FFFFFFD5h 0x00000024 mov eax, dword ptr [ebp+122D06D9h] 0x0000002a sub dword ptr [ebp+124526ABh], ecx 0x00000030 push FFFFFFFFh 0x00000032 sub dword ptr [ebp+122D2B80h], ebx 0x00000038 nop 0x00000039 push ecx 0x0000003a jp 00007F0BBD2F3608h 0x00000040 push edi 0x00000041 pop edi 0x00000042 pop ecx 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jbe 00007F0BBD2F360Ch 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 108EB8E second address: 108EB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10917B9 second address: 10917C3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BBD2F3606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109275F second address: 109276A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0BBCC73066h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109276A second address: 1092782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BBD2F3613h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1095570 second address: 1095576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1095576 second address: 1095592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBD2F3618h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109197E second address: 10919EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC73075h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, dx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F0BBCC73068h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 or bx, 36AFh 0x0000003a mov eax, dword ptr [ebp+122D02A9h] 0x00000040 add dword ptr [ebp+122D29F7h], edi 0x00000046 push FFFFFFFFh 0x00000048 xor dword ptr [ebp+122D3690h], edx 0x0000004e nop 0x0000004f jl 00007F0BBCC73074h 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10919EA second address: 10919EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1095592 second address: 10955F7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BBCC73066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F0BBCC73068h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 cmc 0x0000002a jmp 00007F0BBCC7306Dh 0x0000002f push 00000000h 0x00000031 add edi, 0FB89B31h 0x00000037 push 00000000h 0x00000039 pushad 0x0000003a pushad 0x0000003b mov ecx, dword ptr [ebp+122D385Ah] 0x00000041 popad 0x00000042 mov ecx, dword ptr [ebp+122D18CDh] 0x00000048 popad 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F0BBCC7306Eh 0x00000051 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10919EE second address: 10919FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10955F7 second address: 1095606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10919FE second address: 1091A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10966B6 second address: 10966BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10966BA second address: 1096737 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0BBD2F3606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 xor ebx, dword ptr [ebp+122D3A2Ah] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F0BBD2F3608h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D2ED5h] 0x0000003a jmp 00007F0BBD2F360Bh 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ebx 0x00000044 call 00007F0BBD2F3608h 0x00000049 pop ebx 0x0000004a mov dword ptr [esp+04h], ebx 0x0000004e add dword ptr [esp+04h], 00000017h 0x00000056 inc ebx 0x00000057 push ebx 0x00000058 ret 0x00000059 pop ebx 0x0000005a ret 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e ja 00007F0BBD2F360Ch 0x00000064 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10977F5 second address: 10977F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10977F9 second address: 109781A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F0BBD2F360Ch 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jnp 00007F0BBD2F3608h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109694B second address: 109694F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109781A second address: 109781E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1098BA8 second address: 1098BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1098BAE second address: 1098BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109FD72 second address: 109FD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109FD78 second address: 109FD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 109F864 second address: 109F868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A5038 second address: 10A503D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A503D second address: 10A5071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F0BBCC73078h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007F0BBCC7306Ch 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A5071 second address: 10A5077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A5077 second address: 10A508A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BBCC73066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A508A second address: 10A508E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A508E second address: 10A50A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jc 00007F0BBCC73084h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A50A3 second address: 10A50A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A519C second address: 10A51A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A98CC second address: 10A98D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A98D0 second address: 10A98FC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BBCC73066h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0BBCC7306Ch 0x00000016 jmp 00007F0BBCC7306Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A98FC second address: 10A9900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A9900 second address: 10A9910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0BBCC73066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A9910 second address: 10A9918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A9EBE second address: 10A9EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A9EC2 second address: 10A9ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A9ECC second address: 10A9EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC7306Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A9EDF second address: 10A9EF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3614h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10A9EF7 second address: 10A9F10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0BBCC73066h 0x0000000a jmp 00007F0BBCC7306Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AEBE1 second address: 10AEBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0BBD2F3612h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AEBFA second address: 10AEC49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC7306Eh 0x00000007 jbe 00007F0BBCC73066h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F0BBCC73077h 0x00000015 jmp 00007F0BBCC73074h 0x0000001a pop ebx 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f js 00007F0BBCC73066h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AEDD7 second address: 10AEDDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AEDDB second address: 10AEDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AE94A second address: 10AE94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AF7A1 second address: 10AF7B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F0BBCC73068h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AF7B4 second address: 10AF7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AF7BB second address: 10AF7E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBCC73070h 0x00000009 jmp 00007F0BBCC73073h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AFC2C second address: 10AFC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0BBD2F3606h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jg 00007F0BBD2F3606h 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AFC4A second address: 10AFC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AFC50 second address: 10AFC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10AFC54 second address: 10AFC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B8266 second address: 10B8274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B8274 second address: 10B8294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0BBCC73075h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B8294 second address: 10B829A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B71F8 second address: 10B71FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B71FC second address: 10B7202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B7202 second address: 10B720C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0BBCC73066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B7607 second address: 10B760B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B760B second address: 10B762F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0BBCC7307Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B78F4 second address: 10B78F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B78F8 second address: 10B7945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F0BBCC73066h 0x0000000d jmp 00007F0BBCC7306Ah 0x00000012 jne 00007F0BBCC73066h 0x00000018 popad 0x00000019 jmp 00007F0BBCC73079h 0x0000001e popad 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0BBCC73072h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B7AC5 second address: 10B7B3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3610h 0x00000007 jmp 00007F0BBD2F3615h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F0BBD2F361Ch 0x00000017 jmp 00007F0BBD2F3616h 0x0000001c pushad 0x0000001d jmp 00007F0BBD2F3612h 0x00000022 jmp 00007F0BBD2F3613h 0x00000027 pushad 0x00000028 popad 0x00000029 jnc 00007F0BBD2F3606h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B7CB8 second address: 10B7CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B7CBE second address: 10B7CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 105FD18 second address: 105FD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 105FD1C second address: 105FD54 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BBD2F360Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jg 00007F0BBD2F3621h 0x00000015 jmp 00007F0BBD2F3615h 0x0000001a jne 00007F0BBD2F3606h 0x00000020 jc 00007F0BBD2F360Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10B6A22 second address: 10B6A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078045 second address: 1078049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078049 second address: 107804F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107804F second address: 1078054 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107823C second address: 1078259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBCC73079h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078259 second address: 107825D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10784EC second address: 10784F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10784F3 second address: 10784F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10784F8 second address: 1078507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078507 second address: 107850E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078666 second address: 107869F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BBCC73073h 0x00000008 jmp 00007F0BBCC7306Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jne 00007F0BBCC7306Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0BBCC73072h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 107869F second address: 10786A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10788BA second address: 10788F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC73076h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jo 00007F0BBCC73066h 0x00000013 jmp 00007F0BBCC73078h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078A96 second address: 1078A9B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078FFC second address: 107900A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBCC7306Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10793A5 second address: 10793AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1079490 second address: 105FD18 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movzx edx, bx 0x0000000c mov edx, ecx 0x0000000e call dword ptr [ebp+124523B6h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F0BBCC7306Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10BEA37 second address: 10BEA5E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F0BBD2F3610h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F0BBD2F3606h 0x00000012 jnp 00007F0BBD2F3606h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10BECF8 second address: 10BECFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10BECFC second address: 10BED02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10BF12E second address: 10BF134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10BF134 second address: 10BF158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F0BBD2F3619h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10BF2AE second address: 10BF2C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC7306Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10BF2C1 second address: 10BF2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBD2F3619h 0x00000009 jng 00007F0BBD2F3606h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C5C5A second address: 10C5C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C5C62 second address: 10C5C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C5C68 second address: 10C5C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C5C6E second address: 10C5C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0BBD2F3606h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C5C79 second address: 10C5C80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C5D89 second address: 10C5D8E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C5D8E second address: 10C5D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C6044 second address: 10C6048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C6048 second address: 10C604E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C604E second address: 10C6053 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10C8713 second address: 10C872B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F0BBCC73072h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10CB41F second address: 10CB43F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0BBD2F3606h 0x0000000a jmp 00007F0BBD2F3616h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10CB43F second address: 10CB443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D177F second address: 10D1786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D1786 second address: 10D179F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F0BBCC7308Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F0BBCC73066h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0083 second address: 10D0087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0461 second address: 10D047A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC7306Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F0BBCC73066h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D047A second address: 10D047E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D047E second address: 10D04B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC73078h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e jnc 00007F0BBCC7306Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F0BBCC73066h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0618 second address: 10D0623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0789 second address: 10D07B8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0BBCC73068h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F0BBCC7307Bh 0x00000014 push ecx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D07B8 second address: 10D07E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3614h 0x00000007 pushad 0x00000008 jmp 00007F0BBD2F360Fh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078E23 second address: 1078E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078E28 second address: 1078E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f pop ebx 0x00000010 nop 0x00000011 mov ebx, dword ptr [ebp+12480D68h] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F0BBD2F3608h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 add cl, 00000035h 0x00000034 mov cl, 72h 0x00000036 add eax, ebx 0x00000038 sub edx, dword ptr [ebp+122D3952h] 0x0000003e nop 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 jl 00007F0BBD2F3606h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078E75 second address: 1078E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0BBCC7306Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1078E83 second address: 1078EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 push edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pop esi 0x0000000c nop 0x0000000d mov cx, dx 0x00000010 mov dword ptr [ebp+122D1943h], edi 0x00000016 push 00000004h 0x00000018 movsx ecx, di 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0934 second address: 10D0938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0938 second address: 10D095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0BBD2F3606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0BBD2F3612h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0A9C second address: 10D0AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0BBCC73066h 0x0000000e js 00007F0BBCC73066h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0AB0 second address: 10D0ABF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BBD2F3606h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0ABF second address: 10D0AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0AC8 second address: 10D0ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0ACE second address: 10D0AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0BBCC73078h 0x00000011 jnc 00007F0BBCC73066h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D0AF8 second address: 10D0B02 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0BBD2F3606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D46E6 second address: 10D472A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC73078h 0x00000009 ja 00007F0BBCC73066h 0x0000000f popad 0x00000010 jc 00007F0BBCC73081h 0x00000016 jmp 00007F0BBCC73079h 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D472A second address: 10D472F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D472F second address: 10D475D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC73077h 0x00000009 popad 0x0000000a jnl 00007F0BBCC73068h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D475D second address: 10D4761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D4761 second address: 10D4765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D4765 second address: 10D476B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D476B second address: 10D477F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F0BBCC73066h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D49E8 second address: 10D49EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D49EC second address: 10D4A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F0BBCC73066h 0x00000013 jnc 00007F0BBCC73066h 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F0BBCC7306Ch 0x00000020 pop eax 0x00000021 push ebx 0x00000022 push eax 0x00000023 pop eax 0x00000024 pushad 0x00000025 popad 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10D4A1E second address: 10D4A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DB8BA second address: 10DB8BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DB8BE second address: 10DB8C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DB8C8 second address: 10DB8CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DB8CC second address: 10DB8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DBBA3 second address: 10DBBBB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BBCC73072h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DC195 second address: 10DC1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F0BBD2F3606h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DC1A6 second address: 10DC1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DC1AB second address: 10DC1B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F0BBD2F3606h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DC1B6 second address: 10DC1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC73070h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f ja 00007F0BBCC7306Eh 0x00000015 jno 00007F0BBCC73066h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push esi 0x00000021 pop esi 0x00000022 jng 00007F0BBCC73066h 0x00000028 popad 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DC1ED second address: 10DC1F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DC72F second address: 10DC747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBCC7306Bh 0x00000009 pop eax 0x0000000a je 00007F0BBCC7306Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DC9FC second address: 10DCA16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3614h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DCA16 second address: 10DCA30 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0BBCC7306Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F0BBCC73066h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10791A3 second address: 10791A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DCD3A second address: 10DCD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DCD3E second address: 10DCD52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F360Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DCD52 second address: 10DCD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0BBCC73075h 0x00000011 jnl 00007F0BBCC73066h 0x00000017 jng 00007F0BBCC73066h 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10DCD86 second address: 10DCDD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F360Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0BBD2F3612h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0BBD2F3617h 0x00000017 jmp 00007F0BBD2F360Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E167C second address: 10E168C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0BBCC73066h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E168C second address: 10E1692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E1692 second address: 10E1696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E1696 second address: 10E169A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E169A second address: 10E16A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E16A0 second address: 10E16A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E16A6 second address: 10E16AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E16AC second address: 10E16B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E16B0 second address: 10E16B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10E183B second address: 10E1841 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10ED8FE second address: 10ED904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10ED904 second address: 10ED91C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3612h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC1F7 second address: 10EC1FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC1FB second address: 10EC201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC4B3 second address: 10EC4EA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0BBCC7307Bh 0x00000008 jmp 00007F0BBCC73075h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0BBCC73076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC4EA second address: 10EC4EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC4EF second address: 10EC513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jbe 00007F0BBCC73066h 0x0000000c popad 0x0000000d jl 00007F0BBCC7307Bh 0x00000013 jmp 00007F0BBCC7306Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC677 second address: 10EC686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0BBD2F3606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC686 second address: 10EC68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10EC68C second address: 10EC6AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F0BBD2F360Ch 0x0000000b jl 00007F0BBD2F3606h 0x00000011 popad 0x00000012 jbe 00007F0BBD2F3637h 0x00000018 js 00007F0BBD2F360Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10ED778 second address: 10ED77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10ED77C second address: 10ED78A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0BBD2F3606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10ED78A second address: 10ED794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0BBCC73066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10F5D35 second address: 10F5D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1102D5C second address: 1102D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1102D62 second address: 1102D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1102744 second address: 1102748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1102748 second address: 1102752 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0BBD2F3606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1102752 second address: 1102764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0BBCC7306Ch 0x0000000c jo 00007F0BBCC73066h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1102764 second address: 110276C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 110276C second address: 1102791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F0BBCC73066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0BBCC73072h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 102F386 second address: 102F38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1105A08 second address: 1105A10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 110B395 second address: 110B3B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3617h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 110B3B3 second address: 110B3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 110B3BD second address: 110B3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1111D0D second address: 1111D14 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 111447F second address: 1114485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1114485 second address: 1114495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBCC7306Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1114495 second address: 11144BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BBD2F3619h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1035E55 second address: 1035E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F0BBCC7306Fh 0x0000000b jmp 00007F0BBCC73072h 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1035E82 second address: 1035E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 111D77A second address: 111D784 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0BBCC73066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 111D784 second address: 111D789 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 111D789 second address: 111D795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0BBCC73066h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 111DB52 second address: 111DB6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBD2F360Dh 0x00000009 je 00007F0BBD2F3606h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 111DB6E second address: 111DB77 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 11230F5 second address: 11230F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 11230F9 second address: 11230FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 11230FF second address: 1123139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0BBD2F360Bh 0x00000008 jne 00007F0BBD2F3606h 0x0000000e jmp 00007F0BBD2F3610h 0x00000013 jmp 00007F0BBD2F3610h 0x00000018 popad 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1131754 second address: 1131761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F0BBCC73066h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1131761 second address: 113176B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BBD2F3612h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 113176B second address: 1131771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1134AA7 second address: 1134AD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0BBD2F3616h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0BBD2F360Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1134AD6 second address: 1134ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 114399F second address: 11439B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBD2F360Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 10343ED second address: 10343F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1159B22 second address: 1159B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0BBD2F3613h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1159B3A second address: 1159B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F0BBCC7306Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1159B4B second address: 1159B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1159E20 second address: 1159E40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0BBCC73076h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 1159E40 second address: 1159E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115CD16 second address: 115CD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115F6A3 second address: 115F6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FCA4 second address: 115FCAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FCAA second address: 115FCAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FCAE second address: 115FCFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dx, 6252h 0x0000000d and dl, FFFFFFE5h 0x00000010 push dword ptr [ebp+122D2B46h] 0x00000016 mov dh, ah 0x00000018 call 00007F0BBCC73069h 0x0000001d jns 00007F0BBCC73082h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jng 00007F0BBCC73066h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FCFD second address: 115FD02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FD02 second address: 115FD07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FD07 second address: 115FD2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0BBD2F3612h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FD2D second address: 115FD3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FD3C second address: 115FD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0BBD2F360Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 115FD54 second address: 115FD62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0BBCC7306Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 11614D1 second address: 11614E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0BBD2F3608h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 11610A1 second address: 11610AB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0BBCC7306Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	RDTSC instruction interceptor: First address: 11610AB second address: 11610DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 jnp 00007F0BBD2F3606h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0BBD2F360Bh 0x00000019 pushad 0x0000001a jnp 00007F0BBD2F3606h 0x00000020 jns 00007F0BBD2F3606h 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Special instruction interceptor: First address: ECABD7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Special instruction interceptor: First address: 106E5A5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Special instruction interceptor: First address: 106CCC2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Special instruction interceptor: First address: 1098C1E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Special instruction interceptor: First address: ECAB26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Special instruction interceptor: First address: 10FAB29 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe TID: 1408	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe TID: 4236	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: P2V7Mr3DUF.exe, P2V7Mr3DUF.exe, 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: P2V7Mr3DUF.exe, 00000000.00000003.1242688965.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.0000000000688000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242551637.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243477862.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: P2V7Mr3DUF.exe, 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	File opened: NTICE
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	File opened: SICE
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Code function: 0_2_00EB02C0 LdrInitializeThunk,

0_2_00EB02C0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: P2V7Mr3DUF.exe	String found in binary or memory: robinsharez.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: chipdonkeruz.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: handscreamny.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: crowdwarek.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: versersleep.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: femalsabler.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: apporholis.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: letterdrive.shop
Source: P2V7Mr3DUF.exe	String found in binary or memory: soundtappysk.shop

Source: P2V7Mr3DUF.exe, P2V7Mr3DUF.exe, 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: FnProgram Manager

Source: C:\Users\user\Desktop\P2V7Mr3DUF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	5 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
P2V7Mr3DUF.exe	48%	Virustotal		Browse
P2V7Mr3DUF.exe	58%	ReversingLabs	Win32.Trojan.Symmi
P2V7Mr3DUF.exe	100%	Avira	TR/Crypt.TPM.Gen
P2V7Mr3DUF.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://femalsabler.shop/api	100%	Avira URL Cloud	malware
https://soundtappysk.shop/	100%	Avira URL Cloud	malware
https://femalsabler.shop/	100%	Avira URL Cloud	malware
https://femalsabler.shop/p9S	100%	Avira URL Cloud	malware
letterdrive.shop	100%	Avira URL Cloud	malware
https://femalsabler.shop/p8S	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
letterdrive.shop	unknown	unknown	true	unknown
femalsabler.shop	unknown	unknown	true	unknown
robinsharez.shop	unknown	unknown	true	unknown
soundtappysk.shop	unknown	unknown	true	unknown
crowdwarek.shop	unknown	unknown	true	unknown
versersleep.shop	unknown	unknown	true	unknown
chipdonkeruz.shop	unknown	unknown	true	unknown
apporholis.shop	unknown	unknown	true	unknown
handscreamny.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
robinsharez.shop	false		high
versersleep.shop	false		high
crowdwarek.shop	false		high
letterdrive.shop	true	Avira URL Cloud: malware	unknown
femalsabler.shop	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
soundtappysk.shop	false		high
apporholis.shop	false		high
handscreamny.shop	false		high
chipdonkeruz.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://soundtappysk.shop/	P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://femalsabler.shop/p8S	P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://medal.tv	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242551637.000000000069D000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://femalsabler.shop/p9S	P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/p	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://femalsabler.shop/	P2V7Mr3DUF.exe, 00000000.00000003.1227584383.00000000006A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://recaptcha.net	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://femalsabler.shop/api	P2V7Mr3DUF.exe, 00000000.00000003.1227769938.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242738396.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243279875.000000000069A000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242665132.00000000006E2000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000002.1243553751.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	P2V7Mr3DUF.exe, 00000000.00000003.1242515936.0000000000714000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242515936.000000000071C000.00000004.00000020.00020000.00000000.sdmp, P2V7Mr3DUF.exe, 00000000.00000003.1242723643.000000000071C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586507
Start date and time:	2025-01-09 08:42:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	P2V7Mr3DUF.exe renamed because original name is a hash value
Original Sample Name:	110012cdf8fae9fdf6a917ce78ea93ca.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:43:11	API Interceptor	4x Sleep call for process: P2V7Mr3DUF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.102.49.254
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	23.60.214.185
	https://workdrive.zohopublic.com/writer/open/p369v39db425d23f84b09b5751cf359b081f4	Get hash	malicious	Unknown	Browse	2.19.126.143
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	23.38.98.78
	malw.hta	Get hash	malicious	Branchlock Obfuscator	Browse	23.56.162.204
	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse	23.56.162.204
	malw.hta	Get hash	malicious	Unknown	Browse	23.56.162.204
	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	EPSONOPOSADKV3.00ER10.zip	Get hash	malicious	Unknown	Browse	184.28.90.27
	miori.x86.elf	Get hash	malicious	Unknown	Browse	104.123.242.179

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	104.102.49.254
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	Rgr8LJz.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948155105057363
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	P2V7Mr3DUF.exe
File size:	1'871'360 bytes
MD5:	110012cdf8fae9fdf6a917ce78ea93ca
SHA1:	d290732f03ffa047ab80ead03305a797b0ba3e77
SHA256:	66544fcaa9e5fd43b2250477fc3bcddd1059718b28fdbc3d8b6723943928a483
SHA512:	30e2424aa956e0e4a4196cba50de07dad311b9a4e2064c1f8944a8ab4683e4d844efce015ec7de126dd92dd5bcb9d02a3294b141edcb4e5b84bb29b0281c9a29
SSDEEP:	49152:/Rk9qL6raptkeS8MzHWFPZBE3+eq3YxTS:pk+DptkQMiFPTE3NJ
TLSH:	C08533357E6F7377C2F0BEF6086E96438642E3104F1F74A6324A49996D13BA6183990B
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...TQ}g.................(............I...........@...........................I.....X:....@.................................Y`..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x89b000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677D5154 [Tue Jan 7 16:07:48 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F0BBC8C646Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x56059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x561f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x54000	0x27c00	48b7d8e6b4653ff243b341eebfd85602	False	0.9977090703616353	data	7.98200153000811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x2b0	0x200	218115c9c308e29afe05cc5a3bd158c0	False	0.796875	data	6.081299225280876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x56000	0x1000	0x200	20eae372ffdb39486b5a3eec1e928253	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x57000	0x2a5000	0x200	050ec1057f1ea63424b6b09046fc9402	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
moxejxev	0x2fc000	0x19e000	0x19d400	e4fde345e5b2d95a782d610a3b5aa5b1	False	0.994248147307925	data	7.9537846812043025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ttihhytk	0x49a000	0x1000	0x600	de9d7efc487575f3bfc2ab052402c0a2	False	0.5904947916666666	data	5.056524453344602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x49b000	0x3000	0x2200	cf9f03a68cdb54b759decce481e79f2e	False	0.0759420955882353	DOS executable (COM)	0.9277009024723581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4990b0	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T08:43:12.412269+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.7	63559	1.1.1.1	53	UDP
2025-01-09T08:43:12.422948+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.7	51993	1.1.1.1	53	UDP
2025-01-09T08:43:12.462291+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.7	57437	1.1.1.1	53	UDP
2025-01-09T08:43:12.472358+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.7	62182	1.1.1.1	53	UDP
2025-01-09T08:43:12.482080+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.7	64220	1.1.1.1	53	UDP
2025-01-09T08:43:12.502453+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.7	60374	1.1.1.1	53	UDP
2025-01-09T08:43:12.520722+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.7	50040	1.1.1.1	53	UDP
2025-01-09T08:43:12.530838+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.7	50277	1.1.1.1	53	UDP
2025-01-09T08:43:13.205078+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49699	104.102.49.254	443	TCP
2025-01-09T08:43:13.836799+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49699	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:43:12.572652102 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:12.572700977 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:12.572767019 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:12.575309038 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:12.575326920 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.204946995 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.205077887 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.251564026 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.251590014 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.251936913 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.299382925 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.440095901 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.483329058 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.836832047 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.836858988 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.836889982 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.836909056 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.836944103 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.836952925 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.836987972 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.837019920 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.837059021 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.919708967 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.919750929 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.919779062 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.919868946 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.920136929 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.923861980 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.923882008 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:13.923892021 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 08:43:13.923897028 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 08:43:31.916218042 CET	63344	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:31.921076059 CET	53	63344	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:31.921212912 CET	63344	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:31.926388025 CET	53	63344	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:32.369597912 CET	63344	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:32.374591112 CET	53	63344	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:32.374964952 CET	63344	53	192.168.2.7	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:43:12.394989967 CET	59408	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.404491901 CET	53	59408	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.412269115 CET	63559	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.421081066 CET	53	63559	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.422947884 CET	51993	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.431617975 CET	53	51993	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.462291002 CET	57437	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.470758915 CET	53	57437	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.472357988 CET	62182	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.481012106 CET	53	62182	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.482079983 CET	64220	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.490935087 CET	53	64220	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.502453089 CET	60374	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.510921955 CET	53	60374	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.520721912 CET	50040	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.529263973 CET	53	50040	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.530838013 CET	50277	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.539900064 CET	53	50277	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:12.542788029 CET	58737	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:43:12.549983025 CET	53	58737	1.1.1.1	192.168.2.7
Jan 9, 2025 08:43:31.915776014 CET	53	52933	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:43:12.394989967 CET	192.168.2.7	1.1.1.1	0x9ada	Standard query (0)	letterdrive.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.412269115 CET	192.168.2.7	1.1.1.1	0x660b	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.422947884 CET	192.168.2.7	1.1.1.1	0xe150	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.462291002 CET	192.168.2.7	1.1.1.1	0x72f7	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.472357988 CET	192.168.2.7	1.1.1.1	0x7f40	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.482079983 CET	192.168.2.7	1.1.1.1	0x5197	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.502453089 CET	192.168.2.7	1.1.1.1	0x3149	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.520721912 CET	192.168.2.7	1.1.1.1	0xdb4e	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.530838013 CET	192.168.2.7	1.1.1.1	0xc4ae	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.542788029 CET	192.168.2.7	1.1.1.1	0x98aa	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:43:12.404491901 CET	1.1.1.1	192.168.2.7	0x9ada	Name error (3)	letterdrive.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.421081066 CET	1.1.1.1	192.168.2.7	0x660b	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.431617975 CET	1.1.1.1	192.168.2.7	0xe150	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.470758915 CET	1.1.1.1	192.168.2.7	0x72f7	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.481012106 CET	1.1.1.1	192.168.2.7	0x7f40	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.490935087 CET	1.1.1.1	192.168.2.7	0x5197	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.510921955 CET	1.1.1.1	192.168.2.7	0x3149	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.529263973 CET	1.1.1.1	192.168.2.7	0xdb4e	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.539900064 CET	1.1.1.1	192.168.2.7	0xc4ae	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:43:12.549983025 CET	1.1.1.1	192.168.2.7	0x98aa	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.102.49.254	443	6496	C:\Users\user\Desktop\P2V7Mr3DUF.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:43:13 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-09 07:43:13 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 09 Jan 2025 07:43:13 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=6f98276bb16ed8854225a9c6; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-09 07:43:13 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-09 07:43:13 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	02:43:10
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\P2V7Mr3DUF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\P2V7Mr3DUF.exe"
Imagebase:	0xe70000
File size:	1'871'360 bytes
MD5 hash:	110012CDF8FAE9FDF6A917CE78EA93CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25%
Total number of Nodes:	68
Total number of Limit Nodes:	5

Executed Functions

Function 00E7B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fWpQ, xrefs: 00E7B397
6C(], xrefs: 00E7B382
`/(), xrefs: 00E7B588
@w@q, xrefs: 00E7B3E4
?_oY, xrefs: 00E7B389
K{Du, xrefs: 00E7B3DA
Bc*}, xrefs: 00E7B3C6

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 011f23f945350f9b0d195ca6204b9902c4d35cc3f2b8e748c755d707ffb01efb
Instruction ID: 827cec9ede73560daef6eb9e149f37ea8e5c4f57abea194c6493bf6bf47b8c7a
Opcode Fuzzy Hash: 011f23f945350f9b0d195ca6204b9902c4d35cc3f2b8e748c755d707ffb01efb
Instruction Fuzzy Hash: 9E126AB5104B01CFD324CF26D891B97BBF5FB84315F108A2DD5AA9BAA4DB74A40ACF50

Function 00E78880 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00E78AB8

Strings

6W01, xrefs: 00E789B5

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: ExitProcess
String ID: 6W01
API String ID: 621844428-326071965
Opcode ID: e64cd789c1a94a08a5e07d529f25a435012686d43ea1c3fb73922b863c1ed0d9
Instruction ID: cee31022ff51ccd7ebc0c1674a66779940ac26fa3f066ea9a63277d68aab3f3e
Opcode Fuzzy Hash: e64cd789c1a94a08a5e07d529f25a435012686d43ea1c3fb73922b863c1ed0d9
Instruction Fuzzy Hash: C951B073A843040BD328AA759C4A357BAC74BC1314F1BD5399A49BF3D6ED78AC0543C1

Function 00E7AA36 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 00E7A9CF
MO, xrefs: 00E7AA37

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: cc5007a9afc5a1a92ddbc57b365b9643c2690dea3e8be1b2c1c374541407f8ce
Instruction ID: 60886446dc0526fa04f27a6d35db0abf801316d57641a434c442cde75b23a289
Opcode Fuzzy Hash: cc5007a9afc5a1a92ddbc57b365b9643c2690dea3e8be1b2c1c374541407f8ce
Instruction Fuzzy Hash: 20117C741042918BEF148F699D9566BBFA0EF46224F28E9989C856F38BC634C501CF65

Function 00EB02C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00EB316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00EB02EE

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00E7C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ad33b486a1672ec70d99b3eb79c367fa3d0bf085a0fbcc553053b6d9b4122e
Instruction ID: 51f2e997f4efd28d5079163280d8940202073c84621e2ef3be3ae1dd598d93e3
Opcode Fuzzy Hash: 68ad33b486a1672ec70d99b3eb79c367fa3d0bf085a0fbcc553053b6d9b4122e
Instruction Fuzzy Hash: 0D11277065C3808FD318CF28DDC075BBBE2ABD6314F248A5CE5C627255DAB19909CBA6

Function 00EB0260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,00E7B9C7,00000000,00000001), ref: 00EB0292

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c508a230a0606e92e99486a0c609348371680d8568f3473f75a1b7b264870d11
Instruction ID: 693bb64cb1f791d825d8861b634528d9a823cbbdf8323f24b138f676fc4befa4
Opcode Fuzzy Hash: c508a230a0606e92e99486a0c609348371680d8568f3473f75a1b7b264870d11
Instruction Fuzzy Hash: 23E02B32404310AFC2152B347C29F9B36A8EFC6711F050935F40176221DB31F80585A2

Function 00E7AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 00E7AB46

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: fb71ac7dfb65943a5c3f9abf3748806ef98738781ce80d7ee64cd345d29548d6
Instruction ID: d04dcbc1fbcdd6fe85f131741a83e716185064fbee9f08e040401a9ac3e5b68f
Opcode Fuzzy Hash: fb71ac7dfb65943a5c3f9abf3748806ef98738781ce80d7ee64cd345d29548d6
Instruction Fuzzy Hash: 1EE02B321D8104BFF28C6752FD0FC973A96BB82306B084318F81970177D511182D8A62

Function 00EAEB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00EB02AB,?,00E7B9C7,00000000,00000001), ref: 00EAEB60

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b2c0e472f5e799a4e44f561e98fb911f400c950a8a7e14418ee6fb5277a31d09
Instruction ID: 9bcb07ed49a2f2a07f550cb3520bc2a8bf394d955b20e13ae2e1de0bf348bb68
Opcode Fuzzy Hash: b2c0e472f5e799a4e44f561e98fb911f400c950a8a7e14418ee6fb5277a31d09
Instruction Fuzzy Hash: 4CD0C931455522EFC6102B29BC25BC73BA5FF49760F0708A1F540BA0B4D765AC928AD0

Function 00EAEB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00EB02A0), ref: 00EAEB30

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cf7dccefea00d0730a831fdb2b95833443b00362e8b363b9345165166a61371b
Instruction ID: 5d07f5c038325cbfc57cb6751898d5569bc5e86503525981e4ec9fc63c59d9a8
Opcode Fuzzy Hash: cf7dccefea00d0730a831fdb2b95833443b00362e8b363b9345165166a61371b
Instruction Fuzzy Hash: 76C04831046120ABCA146B15EC19FCA3BA8EF853A1F0200A5B104761B18661AC82CA94

Non-executed Functions

Function 00E93EFF Relevance: 70.4, Strings: 56, Instructions: 350COMMON

Download Yara Rule

Strings

J, xrefs: 00E9417C
@, xrefs: 00E94152
n, xrefs: 00E93FCE
&, xrefs: 00E93FCA
:, xrefs: 00E94253
L, xrefs: 00E941A6
0, xrefs: 00E93FE6
b, xrefs: 00E94224
~, xrefs: 00E94208
f, xrefs: 00E93FEE
>, xrefs: 00E93FEA
N, xrefs: 00E9439E
^, xrefs: 00E94128
|, xrefs: 00E94216
x, xrefs: 00E941FA
t, xrefs: 00E941DE
Q, xrefs: 00E941C9
7, xrefs: 00E93FD6
8, xrefs: 00E93F4A
F, xrefs: 00E94160
?, xrefs: 00E94183
>, xrefs: 00E93F4E
@, xrefs: 00E94263
n, xrefs: 00E94257
H, xrefs: 00E9418A
D, xrefs: 00E9416E
v, xrefs: 00E941D0
1, xrefs: 00E93FDA
(, xrefs: 00E941AD
0, xrefs: 00E93FD2
r, xrefs: 00E941B4
&, xrefs: 00E9414B
`, xrefs: 00E9422F
\, xrefs: 00E94136
4, xrefs: 00E93FE2
f, xrefs: 00E94237
z, xrefs: 00E941EC
B, xrefs: 00E94144
N, xrefs: 00E94198
h, xrefs: 00E94175
h, xrefs: 00E9424F
}, xrefs: 00E94390
p, xrefs: 00E941C2
l, xrefs: 00E9425F
d, xrefs: 00E9423F
j, xrefs: 00E94247
?, xrefs: 00E93F42
x, xrefs: 00E93F3E
/, xrefs: 00E93F46
1, xrefs: 00E93FC2
q, xrefs: 00E93FDE
-, xrefs: 00E941BB
A, xrefs: 00E943AC
2, xrefs: 00E93FC6
V, xrefs: 00E93F52
X, xrefs: 00E9411A

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
API String ID: 0-1862720121
Opcode ID: fe6476972523ae40e05f3672d444eaaca2ef69f680912db625a5195f3fcb1d7a
Instruction ID: a6a177b97986b5041ca70c78da767b7464163357206553dfca59fc51d04d5cdb
Opcode Fuzzy Hash: fe6476972523ae40e05f3672d444eaaca2ef69f680912db625a5195f3fcb1d7a
Instruction Fuzzy Hash: 16024F219087D989DB22C67C8C483CDBFA11B63324F1883DDD1E86B3D7D6B90646CB62

Function 00EAA4EF Relevance: 55.3, Strings: 44, Instructions: 311COMMON

Download Yara Rule

Strings

i, xrefs: 00EAA7C4
3, xrefs: 00EAA54F
y, xrefs: 00EAA61A
a, xrefs: 00EAA78C
w, xrefs: 00EAA60C
e, xrefs: 00EAA7A8
u, xrefs: 00EAA5FE
n, xrefs: 00EAA7E7
E, xrefs: 00EAA66E
0, xrefs: 00EAA936
a, xrefs: 00EAA572
D, xrefs: 00EAA4FB
g, xrefs: 00EAA7B6
c, xrefs: 00EAA580
K, xrefs: 00EAA698
k, xrefs: 00EAA5B8
@%h, xrefs: 00EAA9C2
%, xrefs: 00EAA525
i, xrefs: 00EAA5AA
=, xrefs: 00EAA517
+, xrefs: 00EAA55D
>, xrefs: 00EAA764
x, xrefs: 00EAA533
G, xrefs: 00EAA67C
k, xrefs: 00EAA7D2
m, xrefs: 00EAA5C6
m, xrefs: 00EAA7E0
{, xrefs: 00EAA628
A, xrefs: 00EAA652
}, xrefs: 00EAA636
L, xrefs: 00EAA69F
s, xrefs: 00EAA5F0
c, xrefs: 00EAA79A
C, xrefs: 00EAA660
I, xrefs: 00EAA68A
e, xrefs: 00EAA58E
q, xrefs: 00EAA5E2
<, xrefs: 00EAA75B
o, xrefs: 00EAA7EE
:, xrefs: 00EAA509
9, xrefs: 00EAA541
g, xrefs: 00EAA59C
o, xrefs: 00EAA5D4
M, xrefs: 00EAA6A6

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$@%h$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-533244943
Opcode ID: 3ebdaca742671d775246609b8d68994930643b081e8853f9ed6e8a2ec487f25c
Instruction ID: 5fbc22a4b1123373124656858315f0af6467fb0c0809f8ebe3344c0982ba2ca5
Opcode Fuzzy Hash: 3ebdaca742671d775246609b8d68994930643b081e8853f9ed6e8a2ec487f25c
Instruction Fuzzy Hash: A6F160319087E98ADB22C63C8C443DDBFA15B56324F0847E9D0A97B3D2C7754B86CB62

Function 00EA9923 Relevance: 51.6, Strings: 41, Instructions: 391COMMON

Download Yara Rule

Strings

f, xrefs: 00EA9E23
U, xrefs: 00EA9AFF
Z, xrefs: 00EA9AF7
_, xrefs: 00EA9ABF
$, xrefs: 00EA99E5
=, xrefs: 00EA9A01
s, xrefs: 00EA9B4F
*, xrefs: 00EA9A7F
G, xrefs: 00EA9AD7
~, xrefs: 00EA9B3F
x, xrefs: 00EA9B7F
5, xrefs: 00EA99D7
7, xrefs: 00EA9A71
w, xrefs: 00EA9B17
-, xrefs: 00EA99AD
{, xrefs: 00EA9B77
H, xrefs: 00EA9AEF
r, xrefs: 00EA9BB7
S, xrefs: 00EA9D26
@%h, xrefs: 00EA9EBE
t, xrefs: 00EA9B5F
], xrefs: 00EA9ACF
c, xrefs: 00EA9B07
F, xrefs: 00EA9A97
i, xrefs: 00EA9B6F
4, xrefs: 00EA9DFF
O, xrefs: 00EA9D16
F, xrefs: 00EA9AC7
i, xrefs: 00EA9B2F
Y, xrefs: 00EA9AE7
j, xrefs: 00EA9B37
S, xrefs: 00EA9A8F
<, xrefs: 00EA9A0F
2, xrefs: 00EA9A55
I, xrefs: 00EA9D0E
j, xrefs: 00EA9B1F
=, xrefs: 00EA9B8F
=, xrefs: 00EA9A1D
T, xrefs: 00EA9BCF
1, xrefs: 00EA99BB
e, xrefs: 00EA9E1C

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$@%h$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-1174496626
Opcode ID: ce2d1808fbb952dd2f32807edacecc33fbd3d5d60cc262c4474ec8ef3a20b66a
Instruction ID: 81c4f9658c0ff8294d0bdf6a43f03284aefae4d9e6583f644667e427d1aa1f1b
Opcode Fuzzy Hash: ce2d1808fbb952dd2f32807edacecc33fbd3d5d60cc262c4474ec8ef3a20b66a
Instruction Fuzzy Hash: AE223D219087EA8DDB32C67C88483CDBEA15B67224F1843D9D4F87B3D6C7750A46CB66

Function 00E95100 Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 481COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00E951AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00E95243

Strings

]R, xrefs: 00E95257
+$e, xrefs: 00E95165, 00E9517A
:@&F, xrefs: 00E95393
XY, xrefs: 00E95146
1D6Z, xrefs: 00E9539B
?P:V, xrefs: 00E953B3
,X*^, xrefs: 00E953A3
+$e, xrefs: 00E951F2
.T'j, xrefs: 00E953BB
C`<f, xrefs: 00E953D3
%\)R, xrefs: 00E953AB

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]R
API String ID: 237503144-3207516455
Opcode ID: 18e8796b6d14e78c8f6173039f26f066adb5fe464ec9b485952da8d842f0bbf5
Instruction ID: 0aeb51491672b2db88892b18b2fc14d01c7abe7e22f7bf7512dd005aa602e3e1
Opcode Fuzzy Hash: 18e8796b6d14e78c8f6173039f26f066adb5fe464ec9b485952da8d842f0bbf5
Instruction Fuzzy Hash: 15F1EEB12483409FD710DF69D89166BBBE0FFC5318F14992CE6D59B362E7B88906CB42

Function 00EAB870 Relevance: 21.9, APIs: 2, Strings: 10, Instructions: 888COMMON

Download Yara Rule

Strings

[&h$, xrefs: 00EABE32
96, xrefs: 00EABE52
#~|, xrefs: 00EAB89D
e?^, xrefs: 00EABC4F
n:T8, xrefs: 00EABE4A
#~|, xrefs: 00EAB8A7
:;$%, xrefs: 00EAC2EC
M, xrefs: 00EABB5B
F*R(, xrefs: 00EABE2A
k"@ , xrefs: 00EABE3A

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 0-2807872674
Opcode ID: e93d7d4ff06c2aea58c421e0a3c386bf35ce6ae5ebc5e7549086cb4e1d70025a
Instruction ID: d963b3d40107890ee9efdff7bc59ca1674cb2a42204a1a13a2118fee97c8d722
Opcode Fuzzy Hash: e93d7d4ff06c2aea58c421e0a3c386bf35ce6ae5ebc5e7549086cb4e1d70025a
Instruction Fuzzy Hash: 475211726483408BD714CF28C8917ABFBE1EF9A314F189A2DE4D59B391D774D806CB92

Function 00E95D6A Relevance: 17.0, Strings: 13, Instructions: 778COMMON

Download Yara Rule

Strings

qs, xrefs: 00E95E96
&$, xrefs: 00E966A0
+\1R, xrefs: 00E9635A
uVw, xrefs: 00E95EA0
(X#^, xrefs: 00E96350
Wdz, xrefs: 00E96396
T`Sf, xrefs: 00E9638C
4D2Z, xrefs: 00E96346
-T,j, xrefs: 00E9636E
2E1G, xrefs: 00E96876
@%h, xrefs: 00E96956
8I>K, xrefs: 00E96858
$@7F, xrefs: 00E9633C

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$@%h$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-3626717919
Opcode ID: aa8e7741363fb12235d43289362cab29b771acf0abc879e57de7b230ee1944cc
Instruction ID: 1d05ae5a27f81fdf84080988e3be66d88822ff6a9e13ae54a451487d2cef102b
Opcode Fuzzy Hash: aa8e7741363fb12235d43289362cab29b771acf0abc879e57de7b230ee1944cc
Instruction Fuzzy Hash: 6B7260B4A05269CFDB24CF59D881BDDBBB2FB45300F1181E8C5496B362DB749A86CF80

Function 00E87405 Relevance: 16.9, APIs: 4, Strings: 5, Instructions: 1110COMMON

Download Yara Rule

Strings

5&'d, xrefs: 00E875E5
@%h, xrefs: 00E87586, 00E8778D, 00E87803
~, xrefs: 00E88158
$f, xrefs: 00E87922
O, xrefs: 00E87625

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: $f$5&'d$@%h$O$~
API String ID: 0-4288492715
Opcode ID: 1bf766a8101e0f5ebba0a52aa376d52d55fd399bf8747f7262f1d799a173ac21
Instruction ID: 554c1c648da97d52416fe25ddd2f919390dd915e71226897ab825eafab0341df
Opcode Fuzzy Hash: 1bf766a8101e0f5ebba0a52aa376d52d55fd399bf8747f7262f1d799a173ac21
Instruction Fuzzy Hash: 7882FF7150C3518BC324DF28C8917ABB7E1EF99318F289A6DE4CDAB291E734D905CB52

Function 00E89840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00E89CE7
FreeLibrary.KERNEL32(?), ref: 00E89D24

Part of subcall function 00EB02C0: LdrInitializeThunk.NTDLL(00EB316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00EB02EE

Strings

SP, xrefs: 00E89BF2
if, xrefs: 00E89B1C
vt, xrefs: 00E89AFC
@%h, xrefs: 00E89864, 00E89946, 00E8999D, 00E89A51, 00E89C63, 00E89C95, 00E89CFF, 00E89D38, 00E89DB4, 00E89E93, 00E89F54, 00E89FB0, 00E8A09C, 00E8A135, 00E8A1DB, 00E8A332, 00E8A3B2
pv, xrefs: 00E89BB2
~|, xrefs: 00E89B2E
tj, xrefs: 00E89BBA

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$@%h$SP$if$pv$tj$vt
API String ID: 764372645-2569065962
Opcode ID: 29407608817913bede6582a433d16a4b2e7fe647f397614d40deb547c3fb08c1
Instruction ID: caf7f10361ca65d5c81d893be4b8d24dff22ac2a59543a59bf454e6d8f26325f
Opcode Fuzzy Hash: 29407608817913bede6582a433d16a4b2e7fe647f397614d40deb547c3fb08c1
Instruction Fuzzy Hash: EE62D670A093009FE7249B15C89177BB7D2EBC5318F28962CF4DDB72A6E371AC058B52

Function 010405FF Relevance: 14.1, Strings: 10, Instructions: 1624COMMON

Download Yara Rule

Strings

D6&, xrefs: 0104163D
$G#, xrefs: 01040F14
?~, xrefs: 010414C2
0}7, xrefs: 01040FA3
oE1x, xrefs: 01041488
0}7, xrefs: 0104103A
a39, xrefs: 01040DA0
D6&, xrefs: 01041648
0}7, xrefs: 01041015
~kv), xrefs: 01040B5C

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: ?~$D6&$D6&$a39$oE1x$~kv)$$G#$0}7$0}7$0}7
API String ID: 0-285040051
Opcode ID: 392e589eaa92a96e681c2f459e6b7ba894607ef6b3ca44ce9b2d3e0eb0ee4f7f
Instruction ID: 273cea9ec3ec7effbefccbed384a38a319b05420877155dbb3b5b576a1aeabb6
Opcode Fuzzy Hash: 392e589eaa92a96e681c2f459e6b7ba894607ef6b3ca44ce9b2d3e0eb0ee4f7f
Instruction Fuzzy Hash: 43B22CF36082049FE704AE2DEC8567ABBE9EFD4720F1A863DEAC4C7744E53558058693

Function 00E85720 Relevance: 13.0, Strings: 9, Instructions: 1798COMMON

Download Yara Rule

Strings

DASS, xrefs: 00E8629C
NR@:, xrefs: 00E86291
9?4<, xrefs: 00E86345
BYQZ, xrefs: 00E86286
F2}0, xrefs: 00E85A76
@%h, xrefs: 00E85AF1, 00E85D9B, 00E86862, 00E86B31, 00E86E4A
L, xrefs: 00E862B2
a, xrefs: 00E863D3
R(RW, xrefs: 00E86265

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 9?4<$@%h$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3969290412
Opcode ID: 1aeffb999dfef284cda0407a70fdbb72775c7288386eb59e14873034f576d1f4
Instruction ID: 85068263d97c67580b729007f8cb49bf182cce5d658374d333292d3cd9ce26bf
Opcode Fuzzy Hash: 1aeffb999dfef284cda0407a70fdbb72775c7288386eb59e14873034f576d1f4
Instruction Fuzzy Hash: 21C236726083409FD7249F28C8957ABB7E5FF95314F188A2CE4DDA73A1EB349905CB42

Function 00E957E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00E958F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00E9595D

Strings

`J/H, xrefs: 00E95826
)RSP, xrefs: 00E959A1
=^"\, xrefs: 00E95ABF
B"@, xrefs: 00E95818
rp, xrefs: 00E95834

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: 08cb87602ee5d8923b4f5da5dae21e9ecbae1d1f37bb80363972efc66cf8ffd3
Instruction ID: 8012a5648738dd7d36424d6597be8c08b6f3d60ae06cfd3d53176b1bf51adc2f
Opcode Fuzzy Hash: 08cb87602ee5d8923b4f5da5dae21e9ecbae1d1f37bb80363972efc66cf8ffd3
Instruction Fuzzy Hash: 1CA102B2E442198FDB10CFA9DC827EEBBB1FB84314F154168E515BB292D7759902CB90

Function 00E97860 Relevance: 11.7, Strings: 9, Instructions: 409COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00E97C10, 00E97C14, 00E97D78
]_, xrefs: 00E979C8
JW, xrefs: 00E979BD
J+, xrefs: 00E979D3
@%h, xrefs: 00E97D1B, 00E97DAF
r}, xrefs: 00E97D60
/), xrefs: 00E97944
+5, xrefs: 00E9794C
3=, xrefs: 00E9795C

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h$J+$JW$]_$bX_^$r}$+5$/)$3=
API String ID: 0-1501283490
Opcode ID: 7e437b771233d1d2b6591a6f4177eaf7ad0fae487d827e4c9bb21e0d825df644
Instruction ID: 9250feb44c04b7f383116bd6520457d3ecf8b72f3d9879196051f2f1f88dae8a
Opcode Fuzzy Hash: 7e437b771233d1d2b6591a6f4177eaf7ad0fae487d827e4c9bb21e0d825df644
Instruction Fuzzy Hash: CED1BDB461C3409FE7248F25D881B6BB7E2FFC6304F549A2CE1D5AB291D7709809CB52

Function 01032E0C Relevance: 11.6, Strings: 8, Instructions: 1589COMMON

Download Yara Rule

Strings

{Ef7, xrefs: 01032ECA
f~?, xrefs: 0103310E
a"7?, xrefs: 01033548
!u~, xrefs: 0103321D
"G_, xrefs: 01033207
_<', xrefs: 01033D1D
yWou, xrefs: 01033410
3?7, xrefs: 0103390C

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: "G_$_<'$a"7?$f~?$yWou${Ef7$!u~$3?7
API String ID: 0-4163861467
Opcode ID: 21edf50eadab709b7c68a6792637062b363daf0082588c965fec7837d2d93ee4
Instruction ID: 693c70029dfba8a99909ad1160aa33ecbb1751108411ae7927c8478b1fdc09cc
Opcode Fuzzy Hash: 21edf50eadab709b7c68a6792637062b363daf0082588c965fec7837d2d93ee4
Instruction Fuzzy Hash: B3B2F7F3A0C2049FE704AE2DEC8567ABBE9EF94720F16493DEAC4C7744E63558018796

Function 00E8C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

C`6f, xrefs: 00E8C73C, 00E8CBB1, 00E8CC7D
4D"J, xrefs: 00E8C8E8
C`6f, xrefs: 00E8C919
,\/b, xrefs: 00E8C912
*H%N, xrefs: 00E8C8EF
,X0^, xrefs: 00E8C90B
2T'Z, xrefs: 00E8C904
+P%V, xrefs: 00E8C8FD

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 8360b621baa5fc8372920cdfa707b4ab66ac5b9e01c272f3f113c3c6640bfa26
Instruction ID: 4c27d88f796b9b3d872d2329d41bb5ba2e92230caddef147ed500ac9893684bd
Opcode Fuzzy Hash: 8360b621baa5fc8372920cdfa707b4ab66ac5b9e01c272f3f113c3c6640bfa26
Instruction Fuzzy Hash: 11322BB19006158BCB24DF24C892777B7B2FF96318F28929CD8496F395E775A802C7E1

Function 00E90D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

>C;M, xrefs: 00E90F2E
%K9U, xrefs: 00E90F3E
>C;M"G3A, xrefs: 00E911E3
?_%Y, xrefs: 00E90F56
2W<Q, xrefs: 00E90F46
<O)I, xrefs: 00E90F36
?S2], xrefs: 00E90F4E
"G3A, xrefs: 00E91026

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: 258141750aa8b97d14d0318fbb11b2511848730231ae5f73738f4db6a30a44fc
Instruction ID: 01794974809fa8970331262e9ee5c70acaec2163c6bb6e87e702bd6b9e2ff075
Opcode Fuzzy Hash: 258141750aa8b97d14d0318fbb11b2511848730231ae5f73738f4db6a30a44fc
Instruction Fuzzy Hash: 1AE11FB55083008BC724DF64C89276BB7F1EFD2318F099A5CE8D69B3A4E3359905CB92

Function 0103B4FE Relevance: 10.4, Strings: 7, Instructions: 1665COMMON

Download Yara Rule

Strings

z}_, xrefs: 0103C8A4
g)_, xrefs: 0103BE9B
2nUy, xrefs: 0103C3C5
`Wq7, xrefs: 0103C80C
jh~&, xrefs: 0103BC4D
lL3, xrefs: 0103B7CD
G.n, xrefs: 0103C058

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 2nUy$G.n$`Wq7$g)_$jh~&$z}_$lL3
API String ID: 0-3475535457
Opcode ID: 290050929f1b7e6c30f66a34942cc357b7db0eb20a6661c94555f3ce47f7a695
Instruction ID: a89f5e4d8efabd9c2176e41bc86a616222334c0b9d09569cb9edb294d95ffd0a
Opcode Fuzzy Hash: 290050929f1b7e6c30f66a34942cc357b7db0eb20a6661c94555f3ce47f7a695
Instruction Fuzzy Hash: D9B2E6F360C2049FE304AE29EC85A7AFBE9EBD4720F16853DE6C5C3744EA7558018697

Function 00E886FC Relevance: 9.8, Strings: 7, Instructions: 1000COMMON

Download Yara Rule

Strings

]a_c, xrefs: 00E88871
NmNo, xrefs: 00E888F5
H)G+, xrefs: 00E88852
tu, xrefs: 00E88829
@%h, xrefs: 00E88AEF, 00E88B51, 00E88BA5, 00E88BEF, 00E88C71, 00E88D6B, 00E88FAF, 00E89004, 00E892AB
+, xrefs: 00E88DD8
<, xrefs: 00E8913F

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: +$<$@%h$H)G+$NmNo$]a_c$tu
API String ID: 0-1513695675
Opcode ID: de437e2959a2c5e17c5f6a5c2a8643adab1efe9ec31da9678f8aad8f830283a0
Instruction ID: 0064c2f9aa3bfcffb128dea4d5fc07b72b0ceafd84311d332f57f1ced54f8c47
Opcode Fuzzy Hash: de437e2959a2c5e17c5f6a5c2a8643adab1efe9ec31da9678f8aad8f830283a0
Instruction Fuzzy Hash: 7752F4701093408FD7249F28C95177BB7E1FF85318F689A5CE4DEAB2A1DB34A805CB52

Function 01043BC3 Relevance: 9.2, Strings: 6, Instructions: 1703COMMON

Download Yara Rule

Strings

.T*f, xrefs: 01044E2B
&#|{, xrefs: 010444EF
6y~, xrefs: 01044875
Ff;z, xrefs: 01044C8D
<q, xrefs: 01044EBF
E{{[, xrefs: 01043FE9

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: &#|{$.T*f$6y~$<q$E{{[$Ff;z
API String ID: 0-1799893366
Opcode ID: 4fb8a79f4e65907f89de7c4751c7bed4db8fcfee8f46f987f0ccb8dcbb77e4f7
Instruction ID: 5bbee8656d0e18583cc362ff2d86974efec6eb0d9c06ef5921fa2cde2809fa65
Opcode Fuzzy Hash: 4fb8a79f4e65907f89de7c4751c7bed4db8fcfee8f46f987f0ccb8dcbb77e4f7
Instruction Fuzzy Hash: E7B229F3A0C2049FE304AE2DEC8577AB7D9EF94760F1A853DEAC4C3744E93598058696

Function 0103EB60 Relevance: 9.2, Strings: 6, Instructions: 1653COMMON

Download Yara Rule

Strings

6#,K, xrefs: 0103EE52
a-, xrefs: 0103F136
N|z, xrefs: 0103FA10
cK?, xrefs: 0103EDDF
.*nm, xrefs: 0103EC4F
@+{^, xrefs: 0103F51B

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: .*nm$6#,K$@+{^$a-$cK?$N|z
API String ID: 0-457224470
Opcode ID: 80415e42668be1da5282c12380379d5c3c26bbecc283f7a88613f957a4dba44a
Instruction ID: 2895e9d03f1f7a5d49d932477044db1568329df29ecb3a0cb16e94041f71e054
Opcode Fuzzy Hash: 80415e42668be1da5282c12380379d5c3c26bbecc283f7a88613f957a4dba44a
Instruction Fuzzy Hash: F1B227F360C204AFE304AE2DEC8577ABBE9EB94320F1A453DE6C4C7744EA7558058697

Function 01038878 Relevance: 8.3, Strings: 6, Instructions: 815COMMON

Download Yara Rule

Strings

Kci, xrefs: 01038C61
cz0V, xrefs: 01038E81
Kt, xrefs: 01038F4B
{pgw, xrefs: 01038A39
QI`, xrefs: 01038B49
RP, xrefs: 01038F13

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: Kci$RP$cz0V${pgw$Kt$QI`
API String ID: 0-2655404324
Opcode ID: 4eb95e3a2dd205c72f02fb08eff15dce2874ef0e9128e7e7714032e9ac08a0e9
Instruction ID: c86b38934daa710ef689cde0b262dbb92625f4486343effa400b50528cbfdfe2
Opcode Fuzzy Hash: 4eb95e3a2dd205c72f02fb08eff15dce2874ef0e9128e7e7714032e9ac08a0e9
Instruction Fuzzy Hash: D442E4F360C304AFE304AE29EC8567AFBE9EF94620F16492DE6C5C3344E67598448697

Function 00EAF150 Relevance: 8.0, Strings: 6, Instructions: 524COMMON

Download Yara Rule

Strings

f, xrefs: 00EAF3AD
d5fg, xrefs: 00EAF1B0, 00EAF195
S"(w, xrefs: 00EAF44C
@%h, xrefs: 00EAF217, 00EAF337, 00EAF3D8, 00EAF446, 00EAF4BD, 00EAF7C8
S"(w, xrefs: 00EAF220
d5fg, xrefs: 00EAF1EF

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: InitializeThunk
String ID: @%h$S"(w$S"(w$d5fg$d5fg$f
API String ID: 2994545307-1715149098
Opcode ID: d51af249b30e60b4c19417ed0f613daa398c2e3ba2432fd570a12917661d6d0c
Instruction ID: 2a1c79d5f5926aff2c09b5c3d035946f3b52f252b251d5297c92b085fca2115c
Opcode Fuzzy Hash: d51af249b30e60b4c19417ed0f613daa398c2e3ba2432fd570a12917661d6d0c
Instruction Fuzzy Hash: DF12D371A093519FC724CF58C890A2BBBE1AFCA314F14963DF4A56B3A5D770EC058B92

Function 01031232 Relevance: 7.9, Strings: 5, Instructions: 1699COMMON

Download Yara Rule

Strings

PR{, xrefs: 0103181B
L-zn, xrefs: 01031FE5
fX@R, xrefs: 0103152F
[v;o, xrefs: 01031700
~|7, xrefs: 010320EB

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: L-zn$PR{$[v;o$fX@R$~|7
API String ID: 0-2180248742
Opcode ID: 3c73c82062238a6f6c7b7f32efa408608f1bd0fd3347bee6bc128ee3c7de14d6
Instruction ID: e951836868c27883d22bd36d962409dbb0ef2d97a7927a108d65adb3e9418b06
Opcode Fuzzy Hash: 3c73c82062238a6f6c7b7f32efa408608f1bd0fd3347bee6bc128ee3c7de14d6
Instruction Fuzzy Hash: B0B208F390C2149FE3046E2DEC8567AF7E9EF94760F1A4A2DEAC4C3740E93558058697

Function 00E7AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

:33F, xrefs: 00E7B0A4
]f, xrefs: 00E7B021, 00E7B025
8)*6, xrefs: 00E7B1B7, 00E7B229, 00E7B084, 00E7B232, 00E7B25C, 00E7B215, 00E7B1C3, 00E7B064
8)*6, xrefs: 00E7B0B0
Ds, xrefs: 00E7AEE8
}v, xrefs: 00E7AED8

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 2c2d5fb10fc0a1f9bdda587f2fc3d5dcad5f2b56362adf3da216e082b2a78021
Instruction ID: cf9009ad09a75203d369af996ddb0c72519417920c878e4d855c028879e17d6e
Opcode Fuzzy Hash: 2c2d5fb10fc0a1f9bdda587f2fc3d5dcad5f2b56362adf3da216e082b2a78021
Instruction Fuzzy Hash: 2EB1167520D3848BC324CF6884647AFBBE1AFD2308F58D92CE4D96B352D775890ACB56

Function 0103493E Relevance: 7.8, Strings: 5, Instructions: 1575COMMON

Download Yara Rule

Strings

nW, xrefs: 01034FE0
SW, xrefs: 010356AF
kYw_, xrefs: 01035246
VS, xrefs: 01035B1A
ZN^_, xrefs: 010350A1

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: SW$ZN^_$kYw_$nW$VS
API String ID: 0-3934421308
Opcode ID: cf951fe38a0d5b1dfafc446f9d829b3aa33405ac73891850cbf01920c76cac74
Instruction ID: 5d1c18d374f5eaa9158eaa313d88056e4683b8b3f33f4392e653682b519792ee
Opcode Fuzzy Hash: cf951fe38a0d5b1dfafc446f9d829b3aa33405ac73891850cbf01920c76cac74
Instruction Fuzzy Hash: 18A237F360C2049FE304AE2DEC8567AFBE9EFD4720F1A453DEAC483744EA7558058696

Function 00E95AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00E95BBD
)RSP, xrefs: 00E959A1
=^"\, xrefs: 00E95ABF
C@, xrefs: 00E95C40
K3, xrefs: 00E95C4A
B:, xrefs: 00E95C36

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: a1eea0b5fc0f594c6aabfb0a1b2e616d88fec77411a37adf0bf3a56077b67c9c
Instruction ID: 44032e7cf8f51f338d60d0c2d0b8e38cd25df8bab5012f72e9bc95908e112fc3
Opcode Fuzzy Hash: a1eea0b5fc0f594c6aabfb0a1b2e616d88fec77411a37adf0bf3a56077b67c9c
Instruction Fuzzy Hash: 8CB100B6E002188FDB20CF69CC427DEBBB1FB85314F1981A9E518BB252D77459468F91

Function 00E98437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

LMR|, xrefs: 00E98848
"#, xrefs: 00E98B43
H}}C, xrefs: 00E98850
vu~r, xrefs: 00E98868
J'N!, xrefs: 00E98B3B

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: "#$H}}C$J'N!$LMR|$vu~r
API String ID: 0-1530353048
Opcode ID: c71febfb2347d850c1782bd91cd0f142319d547c3d82a353475b94198bc620bf
Instruction ID: 5cb3ff705ccd945de4803290e397f3a39db28420bb45dca517ea10bd7b08d30c
Opcode Fuzzy Hash: c71febfb2347d850c1782bd91cd0f142319d547c3d82a353475b94198bc620bf
Instruction Fuzzy Hash: D6E17BB150C381CFCB108F28988126BB7E1AFD7308F18496DE9D9AB252DB35D809CB52

Function 00E742B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

IDAT, xrefs: 00E7471B
), xrefs: 00E74337
IHDR, xrefs: 00E746AC
), xrefs: 00E7432D
IEND, xrefs: 00E7478F

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 4d1d2fa99b711168bc8d3410da2745b5de510f734064856c7cd50c9782f0bfea
Instruction ID: f2e4199c909e81733ffbd777a3d63c2bf5d0f550ee4cc4fb33724ac8b2aeb5dc
Opcode Fuzzy Hash: 4d1d2fa99b711168bc8d3410da2745b5de510f734064856c7cd50c9782f0bfea
Instruction Fuzzy Hash: C50225B05083948FD704CF29D89076BBBE1EB95304F14862EF989AB3D2D774D908CB92

Function 0102C14F Relevance: 6.7, Strings: 4, Instructions: 1709COMMON

Download Yara Rule

Strings

Wgw, xrefs: 0102C8B3
>)gM, xrefs: 0102CB8F
z;, xrefs: 0102CDA2
[Ew}, xrefs: 0102D1B9

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: >)gM$[Ew}$Wgw$z;
API String ID: 0-726255941
Opcode ID: dd369f5deee5bae043ff20d1f57868ef1b4c3b5345e8e8a045cd56f5deb7c154
Instruction ID: 0ee23cb3121ca8d7a5df7277face06d0171238aec4b5d0c7a3a0de3e5fa3bd51
Opcode Fuzzy Hash: dd369f5deee5bae043ff20d1f57868ef1b4c3b5345e8e8a045cd56f5deb7c154
Instruction Fuzzy Hash: C0B206F360C200AFE3046E69EC8567ABBE5EF94720F1A493DEAC4C7744EA7558018797

Function 00E792A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

RRP\, xrefs: 00E7973E
P, xrefs: 00E7948B
C, xrefs: 00E7960D
#"2., xrefs: 00E793C2
!oW1, xrefs: 00E793CA

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 3ccb3c8af00166681f163b49440fb3b9edb7a027fc97ff48b665dfbdd74c3a7b
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: B8C1147121C3924BD3258F29C49176BBFE2AFD3304F18996DE4D84B386D779850ACB92

Function 00E99FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

ooKv, xrefs: 00E9A363
sf, xrefs: 00E9A36B
,fbV, xrefs: 00E9A353
lvhu, xrefs: 00E9A34B
d~`}, xrefs: 00E9A35B

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: 44c1d794aaef76b1c149b4a85e55dc415936ac9b80dfc7f9bf06849b5a9083bb
Instruction ID: 07c496a5d163e65a264207a1eb016a166c00059b5018f768a706fd4c3c50769e
Opcode Fuzzy Hash: 44c1d794aaef76b1c149b4a85e55dc415936ac9b80dfc7f9bf06849b5a9083bb
Instruction Fuzzy Hash: 1EE13AB150C3418FD724CF28C8917ABB7E2AFD1304F18896CE5D997252E679E908CB93

Function 00E7D545 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

~wxH, xrefs: 00E7D64F
9Y, xrefs: 00E7D854
&W-Q, xrefs: 00E7D7B9
|qay, xrefs: 00E7D641
?C*], xrefs: 00E7D7A4

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 0-1959178137
Opcode ID: a476c36bd10d0954fc9a3b4f8fa4518db0020601f94c6e2bd33551de8c4dd2e1
Instruction ID: 8312c353d1a0416da56d5a214061200e9d0bf16b98e2c2c6cfd8c61726063105
Opcode Fuzzy Hash: a476c36bd10d0954fc9a3b4f8fa4518db0020601f94c6e2bd33551de8c4dd2e1
Instruction Fuzzy Hash: 9CB1F5756087818BD329CF2AC890762BBF2FF96304B18D1ADD4D65BB46D734A406CB91

Function 00E79790 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

{u, xrefs: 00E79A7E
kh, xrefs: 00E79BE3
nz, xrefs: 00E798E3
*+, xrefs: 00E79B1E

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: *+$kh$nz${u
API String ID: 0-424779605
Opcode ID: 0913d186a452eb086749008dc31357c488ddea92e637e2484cd47a3ca53a62ab
Instruction ID: 5e2faa8f3b3b3fdec0df3b31e68430ea0c8574a87c7f5fe705673ec07407d410
Opcode Fuzzy Hash: 0913d186a452eb086749008dc31357c488ddea92e637e2484cd47a3ca53a62ab
Instruction Fuzzy Hash: 70D113716083508BD724DF38C851BABBBE2EFD1318F18896CE4D59B392D638C809CB46

Function 010420FF Relevance: 5.4, Strings: 3, Instructions: 1615COMMON

Download Yara Rule

Strings

Z@z", xrefs: 01043267, 01043331, 01043362, 0104340C, 0104342A
Gf], xrefs: 01042966
]r4, xrefs: 01042376

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: Gf]$Z@z"$]r4
API String ID: 0-1348503794
Opcode ID: e756ab9ad493e64ca2e82195a0ed7cfba2b52dc8dc087b1e921debab7caada4a
Instruction ID: e90a0299b2202f6926e9fba084272a3da8a9e44e72b1d4669b2a482591f30f6a
Opcode Fuzzy Hash: e756ab9ad493e64ca2e82195a0ed7cfba2b52dc8dc087b1e921debab7caada4a
Instruction Fuzzy Hash: EDB205F360C2049FE304AE29EC8567ABBE9EF94720F1A493DE6C4C7744EA3558418697

Function 00E9FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

mc, xrefs: 00E9FDF9
_Pna, xrefs: 00E9FD26
t, xrefs: 00E9FCCC
BVAI, xrefs: 00E9FF6A

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: 92a9835b407e51d3939b9793479c147907e7989fdd44fe9f3883dc33e3e605f5
Instruction ID: 0b3d09b0c8494589ce4f79d33ee31c56fbc86549f56d3b37d2f533c9971bb90e
Opcode Fuzzy Hash: 92a9835b407e51d3939b9793479c147907e7989fdd44fe9f3883dc33e3e605f5
Instruction Fuzzy Hash: E6A1847050C3C18AE739CF2984107ABBFE1AFD7308F18996DD0D9A7282DB75854ACB56

Function 00E9EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

4b, xrefs: 00E9EDDA
0, xrefs: 00E9ED00
D, xrefs: 00E9ED68
8<j?, xrefs: 00E9ED50

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: 37b2ab5f930fb1f64cd294da257c2e9a3d8c6a8e19c0de7403879e324304dc5c
Instruction ID: 56bb42f1c2a9cde7cf436498bfa03b687c23d5f5573ab5f837edefab0c74b7e9
Opcode Fuzzy Hash: 37b2ab5f930fb1f64cd294da257c2e9a3d8c6a8e19c0de7403879e324304dc5c
Instruction Fuzzy Hash: 8C91D66120C3818BDB18CF39846137BFBD29FD6318F28996EE5D69B391D239C9098716

Function 00E9A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

v, xrefs: 00E9AD90, 00E9ADD1, 00E9AE5D, 00E9AE45, 00E9AB80, 00E9AC34, 00E9AC4B, 00E9ABC1
zi, xrefs: 00E9AE8C
v, xrefs: 00E9ACB0
bt, xrefs: 00E9AE84

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: v$v$bt$zi
API String ID: 0-1945541540
Opcode ID: f83ab591ff5d2e4015957e5f177aeb12214f523add0ba9e51195ff7087ee72de
Instruction ID: dc8f4e15db030747c308f85a49d0f2fce3124519aab64db1a9abc5f513d8b5fe
Opcode Fuzzy Hash: f83ab591ff5d2e4015957e5f177aeb12214f523add0ba9e51195ff7087ee72de
Instruction Fuzzy Hash: 55D1677260C3558FD725CF28D45069FFBE6EBC4304F06892DE8A99B281D774D60A8B86

Function 00E8BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

,D,J, xrefs: 00E8BD19
9HiN, xrefs: 00E8BD21
WT, xrefs: 00E8BD39
'P0V, xrefs: 00E8BD31

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 3876c52d1b0c45a92dce5a8789b89c83f6077b68922c64fb4a0121f71b46a3d3
Instruction ID: 64dea5f559186ae9e4fab1ac23955c62296cdad834fe062d89da98432fa7fb40
Opcode Fuzzy Hash: 3876c52d1b0c45a92dce5a8789b89c83f6077b68922c64fb4a0121f71b46a3d3
Instruction Fuzzy Hash: B8B102766493559FD304DF66D8802AFBBE2FBC1314F098D2CE1D867351D779890A8B82

Function 01039A75 Relevance: 5.3, Strings: 3, Instructions: 1566COMMON

Download Yara Rule

Strings

J,_, xrefs: 0103AAA6
i_{?, xrefs: 0103A5B3
sg_, xrefs: 0103A515

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: J,_$i_{?$sg_
API String ID: 0-3949376956
Opcode ID: 85af62f6059575c5aff98ffd6740865c8f560fd1745e9a2fece0024909a4ad96
Instruction ID: 1f4020ef5620dd93b3bf7ef1326d5620cd920a6c1d620686e1926f9a3e79bb24
Opcode Fuzzy Hash: 85af62f6059575c5aff98ffd6740865c8f560fd1745e9a2fece0024909a4ad96
Instruction Fuzzy Hash: EBB2E6F390C2009FE304AE2DEC8567ABBE9EF94720F1A893DE6C4C7744E63558458697

Function 00EB2D20 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00EB2D22
@%h, xrefs: 00EB2E66, 00EB2F3A
D`a&, xrefs: 00EB2ED5
NMNO, xrefs: 00EB2E20

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: InitializeThunk
String ID: @%h$D`a&$NMNO$bX_^
API String ID: 2994545307-3124560283
Opcode ID: 213abe99d732995e056b7743441157433d3a7dc88779327d56a85f4679d8ea9b
Instruction ID: b409126fabb66e8967f93a8d3f84de9c77b45fdd6dc354b5ffaea7e7ad1a0d55
Opcode Fuzzy Hash: 213abe99d732995e056b7743441157433d3a7dc88779327d56a85f4679d8ea9b
Instruction Fuzzy Hash: 798168313083054FD328DF25DC915ABB7A3EFC5328F29962CE6A56B3A1DB31E8098751

Function 00E8825B Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

), xrefs: 00E8837A
gfff, xrefs: 00E883EA
@%h, xrefs: 00E8852E
7, xrefs: 00E883A3

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: )$7$@%h$gfff
API String ID: 0-368779783
Opcode ID: d51ec875f710e618e6ed9624928aefff47869f226baa358fb5fee89234217d17
Instruction ID: 7f51f9059779c5d1b608497b1710078ba0052198c59e296c75c3c7ba287109de
Opcode Fuzzy Hash: d51ec875f710e618e6ed9624928aefff47869f226baa358fb5fee89234217d17
Instruction Fuzzy Hash: 4E8128726142118BD324CF28CD417AB77D6EBC4314F18DA2DD889EB395EB38D906C781

Function 00E84C20 Relevance: 4.7, Strings: 3, Instructions: 989COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00E85070
@%h, xrefs: 00E8505F, 00E850F8, 00E85195, 00E85237, 00E852CF, 00E85330, 00E85390, 00E853F1, 00E856A6
U, xrefs: 00E855D4

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h$NP,?$U
API String ID: 0-3007191629
Opcode ID: 0c0dc16e992b4040808d409d68975e721e829d567476967564118cf22226f382
Instruction ID: ed7ad334604745adfecfb52332b1d7c8feb0610c07f164118b193561f98c99d4
Opcode Fuzzy Hash: 0c0dc16e992b4040808d409d68975e721e829d567476967564118cf22226f382
Instruction Fuzzy Hash: 39521372609300DFD724EF29DC91A3B73A2EBC5314F54962CF599AB2E5EB30A805C791

Function 00E91E70 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

defgau`c, xrefs: 00E91FCA
au`c, xrefs: 00E91FC6
(ijkdefgau`c, xrefs: 00E91FBE

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: 417be931a8213e2847a685a7c0d9ab75eb8f0846b37abef959b1623d2869777c
Instruction ID: eeb469d25f16844ed1bffaba17adcbc3ef918f2fe5c0fff87bcf2689dd223e12
Opcode Fuzzy Hash: 417be931a8213e2847a685a7c0d9ab75eb8f0846b37abef959b1623d2869777c
Instruction Fuzzy Hash: 55D1F0B16083409FDB14DF28C891BABBBE1EFC5318F14992CEA859B391E775D805CB52

Function 00EA4CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

., xrefs: 00EA4DE2
K, xrefs: 00EA4DDE
$, xrefs: 00EA4DE6

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: 100c14c70290349f4bc2f4930bcc953e5ab5c3fd5a5347419412f3e098c4e322
Instruction ID: 0709dce4512a7652c9a48d103559d44313891a825b561ba197c4c0fe9c0dc4be
Opcode Fuzzy Hash: 100c14c70290349f4bc2f4930bcc953e5ab5c3fd5a5347419412f3e098c4e322
Instruction Fuzzy Hash: B1029D71614BC08BE3198F3DC891392BFE2AB56304F0CC9ADD4DACB787C269E5458B65

Function 00E9B170 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

{wBy, xrefs: 00E9B538
@%h, xrefs: 00E9B4A6, 00E9B6D6
?;;, xrefs: 00E9B3AA

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h${wBy$?;;
API String ID: 0-2451862556
Opcode ID: 2fbb150df46979bc35d598fa62644810ba0ea5932e6fec43738289008bbf5e73
Instruction ID: 03809bb4301fbb23496b43754f18dd0e7a3ee8f1bf67e7f4d5f68a9f33feefdb
Opcode Fuzzy Hash: 2fbb150df46979bc35d598fa62644810ba0ea5932e6fec43738289008bbf5e73
Instruction Fuzzy Hash: 87F1F27060C340DFDB15DF29E95176BBBE2AF85304F088A6CF5D5A72A2D3359909CB12

Function 00E9EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 00E9EDDA
D, xrefs: 00E9ED68
8<j?, xrefs: 00E9ED50

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9c02d0358d5e24990e8fd59b1be54991784641a61496ca80768bfff60a54e5d8
Instruction ID: d5be0a5ef730c36f0c2f776d1462e34c60c5bf1f9e764ec8a9e74a7f0c87e961
Opcode Fuzzy Hash: 9c02d0358d5e24990e8fd59b1be54991784641a61496ca80768bfff60a54e5d8
Instruction Fuzzy Hash: E581E96020C3818BDB18CF39846137BFBD29FD6318F2C996DE5D69B381D239C8498756

Function 00E9EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 00E9EDDA
D, xrefs: 00E9ED68
8<j?, xrefs: 00E9ED50

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: b6d575584d1182d39c7abcde68feb4da1d82a69235fa7e6cd96705f932097be3
Instruction ID: 326c2a9956bc14a718c55ba57dad758a0a82824f8ded64f5424cee4105684cae
Opcode Fuzzy Hash: b6d575584d1182d39c7abcde68feb4da1d82a69235fa7e6cd96705f932097be3
Instruction Fuzzy Hash: 9181E66020C3818BDB19CF3984A137BFBD29FD6318F2C996DE5D69B381D239C8498756

Function 00E78F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

ut, xrefs: 00E790E1
#=0, xrefs: 00E78FC5
Z, xrefs: 00E790E8

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: 36fc91cad081fc965c63b4cded7dabd1c30f1390f3b966b01f6530dd87d703c5
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 7981F43120C3828AD7058F39C45036BFFE1AFA3318F1899ADD4D5AB297D629C90AC752

Function 00E9EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

4b, xrefs: 00E9EDDA
D, xrefs: 00E9ED68
8<j?, xrefs: 00E9ED50

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: c0a62f290eaa9c55a51a1cf81b15bb256850883f53b2c0dac5cc44bfef09812f
Instruction ID: 9b70f08198c1687df652533a0bf8dd04968f794bd7a68a75c2a5d3bc530e11ea
Opcode Fuzzy Hash: c0a62f290eaa9c55a51a1cf81b15bb256850883f53b2c0dac5cc44bfef09812f
Instruction Fuzzy Hash: 1381C7612083818BD719CF3984A137AFFD29FD6318F2C996DE5D59B381D238C90A8B56

Function 00E97133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

FOOE, xrefs: 00E97307
KGFU, xrefs: 00E97315
UUQg, xrefs: 00E97323

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: FOOE$KGFU$UUQg
API String ID: 0-2281124432
Opcode ID: da6ab1100e3f044c9e431550b6e7299acea6ef725dca9695b240d550bc298aa7
Instruction ID: b13dc4843187b2858adb1ab543c3ff568a77af18cd3d94b35dda461a678efd20
Opcode Fuzzy Hash: da6ab1100e3f044c9e431550b6e7299acea6ef725dca9695b240d550bc298aa7
Instruction Fuzzy Hash: E8619DB2A792528FDF14CBA8C8401EAF7A2EF55310F1D4265D895AB3D2E334DD09D390

Function 0102F935 Relevance: 4.0, Strings: 2, Instructions: 1467COMMON

Download Yara Rule

Strings

Y/?=, xrefs: 0102FBDC
?)>, xrefs: 0103016A

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: Y/?=$?)>
API String ID: 0-840818184
Opcode ID: 1acdead52d1d5ba6d2d93b85cd3d45dc129e0f15df08ea3bccb01dd18fe73b80
Instruction ID: 32b8c1f0351bf74d158a1eda71aaaa462627de21ed107d1fbaf198ebf185157b
Opcode Fuzzy Hash: 1acdead52d1d5ba6d2d93b85cd3d45dc129e0f15df08ea3bccb01dd18fe73b80
Instruction Fuzzy Hash: 50A2F7F3A0C200AFD3046F29EC8567AFBE9EF94720F1A892DE6C487744E63558458797

Function 00E8AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

I`af, xrefs: 00E8B038
5230, xrefs: 00E8AFC1
t]ae, xrefs: 00E8B081

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 54a2fe8ca1eb82179e33a218c4400bfd2fafb2d5abfc5babe2595f95c7d4c857
Instruction ID: 242171a15d79aa0015d537215282b4a165b5677fc86e2053ff2ec53ed5f43773
Opcode Fuzzy Hash: 54a2fe8ca1eb82179e33a218c4400bfd2fafb2d5abfc5babe2595f95c7d4c857
Instruction Fuzzy Hash: C4514772A14B808FE739CF66C991763BBE3AFA1304F1D896DC1C697695DAB8A405C700

Function 00E8DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

1, xrefs: 00E8DBA3
A, xrefs: 00E8DC18
5230, xrefs: 00E8DB20

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: 61eac7b19c9d2abc12885d80b89f609f0fd2a2601df1c90c0bed9fe8081d8eaf
Instruction ID: 300f1af233fc2537fdc990c952f2e68af73ed4dd6f120e4f03870bd8e019222a
Opcode Fuzzy Hash: 61eac7b19c9d2abc12885d80b89f609f0fd2a2601df1c90c0bed9fe8081d8eaf
Instruction Fuzzy Hash: DD41297265C3405AE324AE65DC42BABF7D3EBD1324F18C52DF1DD672D5EAB848068312

Function 00E8F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON

Download Yara Rule

Strings

, xrefs: 00E90058
9, xrefs: 00E901A0

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 9$
API String ID: 0-2267362515
Opcode ID: 1c6c8bfcd1c2be0a0f8d7a1f560dc9c2e881e7da416c628b8a6dcbb47fd1fb7a
Instruction ID: 6ff1d6f0f63c0e4da0342f542d8e061dc0f47ae0c9641b2b191247693d0b9ca1
Opcode Fuzzy Hash: 1c6c8bfcd1c2be0a0f8d7a1f560dc9c2e881e7da416c628b8a6dcbb47fd1fb7a
Instruction Fuzzy Hash: 2372C1B1618B818ED3298F3C8805397BFD6AB9A324F188B5DE0FE877D2C77561018756

Function 00E74DC0 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 00E756D3
0, xrefs: 00E756DB

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: dbcef6e7e39630317dbb9ff9187703ab044e8443431bbe159d0e01b5fb7dcf20
Instruction ID: 222161e5686b24874d535ccdadbe7c47eede714d0b8c4eff990e68b0afd0027c
Opcode Fuzzy Hash: dbcef6e7e39630317dbb9ff9187703ab044e8443431bbe159d0e01b5fb7dcf20
Instruction Fuzzy Hash: 817246725087409FD714CF18C880BAABBE1FF88318F44992DF9999B391D3B5D958CB92

Function 00E92380 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 00E923AC
@%h, xrefs: 00E92736

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: :;$@%h
API String ID: 0-914522331
Opcode ID: 198bd9f306d058b1921b33b97ed73806ae95e76203b687542d0fda3874568337
Instruction ID: d9b8ad39dd2c910fdc9106129db1eae0d8f89106fc708571746c08e016a75f26
Opcode Fuzzy Hash: 198bd9f306d058b1921b33b97ed73806ae95e76203b687542d0fda3874568337
Instruction Fuzzy Hash: 9CA12771A05310ABDF20DF24DC8276B73E4EF91328F18A52CF995AB292E334DD058752

Function 00EAC5A0 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00EAC7C0
@%h, xrefs: 00EAC5CF, 00EAC73A, 00EAC7AF, 00EAC91D

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h$NP,?
API String ID: 0-2583447649
Opcode ID: ee4f919fe4daaadebc94da50d3102bc7372b2659187b10a6eb92737d4f5169a2
Instruction ID: 654528a3d2df80b8352e50bb10c1dba82aade97e621a5a01450ed683b38d2b3c
Opcode Fuzzy Hash: ee4f919fe4daaadebc94da50d3102bc7372b2659187b10a6eb92737d4f5169a2
Instruction Fuzzy Hash: CAA13B75A083109BD324CE29C88167BB7A6EBCE328F35A62DF5957F291D730BC058791

Function 00EA1E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 00EA204A
nz, xrefs: 00EA2051

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: bad2ab656525c310d8df1964b74a5a3f3fc263f162ae8f3ce19078cc46223aeb
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: F8E10872609B808FD315CA3CC891396BFE2AFEA314F1DC66CC5EA8B392D675A405C711

Function 00EB2470 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

@%h, xrefs: 00EB252E, 00EB265A
_\]R, xrefs: 00EB2490

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: InitializeThunk
String ID: @%h$_\]R
API String ID: 2994545307-2103760045
Opcode ID: afe66eb4afd29546ae24a357ccf22dfacf156caf6c4ef7cd56ba6852a69c0e4d
Instruction ID: 0dd7407941e3d5e51d56ed845206b8f66ee7f6d7dd32a0098219c3acc8b862f1
Opcode Fuzzy Hash: afe66eb4afd29546ae24a357ccf22dfacf156caf6c4ef7cd56ba6852a69c0e4d
Instruction Fuzzy Hash: D1914B315083118BC728DF28D8509AFB7E2EFD5314F19952DE5C5A72A5EB30EC05C786

Function 00E97490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 00E975E6
yr, xrefs: 00E975CE

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: 25461eced12ac3aaaa5cd3fece7541b19e41618dbaf2cbbb488519ba86bd5b45
Instruction ID: 7af94c65434fad3debdfd8f0a3a675cc25c0a699a4cb1e26bef50fb4638f171a
Opcode Fuzzy Hash: 25461eced12ac3aaaa5cd3fece7541b19e41618dbaf2cbbb488519ba86bd5b45
Instruction Fuzzy Hash: FF91477691C3108BD720DF18C84566BBBE2EFD1318F09992CE9D95B391E7B4C909C786

Function 00E97F30 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 00E98074, 00E98093, 00E980C4
@%h, xrefs: 00E97FB8, 00E98099

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: InitializeThunk
String ID: @%h$
API String ID: 2994545307-2112583116
Opcode ID: fda13b507392c81553c62148c3635b0c48724483ce1719c30301df52af7687cd
Instruction ID: a4e864e88b4c7ef32b93cf219d283aed3823ce3635187abf4546ec3329188ccb
Opcode Fuzzy Hash: fda13b507392c81553c62148c3635b0c48724483ce1719c30301df52af7687cd
Instruction Fuzzy Hash: BF818C716093005BEB249B25DD9176F73E5EFD2318F18D62CE885673A1EB349C0AC391

Function 00EB27B0 Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 00EB28B7
@%h, xrefs: 00EB27C7, 00EB2886

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: =^"\$@%h
API String ID: 0-1272381948
Opcode ID: f0a7fccc2167e668258111eee2cde440422fc66b7e591e060a007524ff648fef
Instruction ID: bf39b370d519bb246238687675d4fefea68384fa8a46bd89ab60c8cbbe478f57
Opcode Fuzzy Hash: f0a7fccc2167e668258111eee2cde440422fc66b7e591e060a007524ff648fef
Instruction Fuzzy Hash: 1C81C2342052018BC728DF1CD890AABB3E2EF89714F14962CEA95AB3B1DB31EC51CB41

Function 00E98280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 00E982C5, 00E982F6
:7$%, xrefs: 00E98375

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: 1b2363ab2b74b6eb5e040e69f8eacf0947eb2c8ccd6937833e3295d5e8f70d51
Instruction ID: 990ec7e23d819a2b4950c3a6182c5031bfa2502e7cd00dadcfa0492cfefd3455
Opcode Fuzzy Hash: 1b2363ab2b74b6eb5e040e69f8eacf0947eb2c8ccd6937833e3295d5e8f70d51
Instruction Fuzzy Hash: C221D0711083808BD7089B79C965B6FFBE5BBC6318F105A2CE1D29B291DBB48409CB82

Function 00E8194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00E81D64

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 0327368dc10647cbc0564697f404758ba324463ccc75b888ba0b10e4165756b2
Instruction ID: 94bb4bb5cb6721a1d8a3ee79971dc3715995739c59a1702d502396acccdfaf6d
Opcode Fuzzy Hash: 0327368dc10647cbc0564697f404758ba324463ccc75b888ba0b10e4165756b2
Instruction Fuzzy Hash: 1C42F7B5A04B408FD714EF38C88536ABBE1AF95314F188A6DD5AF9B3D2D635A406C702

Function 00EACD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON

Download Yara Rule

Strings

/p, xrefs: 00EAD2AD

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: /p
API String ID: 0-62938030
Opcode ID: 5649a63b5055dabf2784676e33958fc475e2aa61868ac2e82867f783954ebd85
Instruction ID: f8e534e7e14fb2b391634e4397d00735f01dada1615578a185ab2aecd464704b
Opcode Fuzzy Hash: 5649a63b5055dabf2784676e33958fc475e2aa61868ac2e82867f783954ebd85
Instruction Fuzzy Hash: A9321F36A18352CFC7049F39D81226BB7E1FF99320F1A897DD4C197291E7B99948C782

Function 00E96C76 Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

@%h, xrefs: 00E96956

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h
API String ID: 0-608267615
Opcode ID: d3ff25ab7e5ef61b911e85e6043eb111a9c77b667510c68f505cf93fd110912c
Instruction ID: 22fb402a38626730c5a33dd44f5c353aea355e97992803ba15477690f26fa6bf
Opcode Fuzzy Hash: d3ff25ab7e5ef61b911e85e6043eb111a9c77b667510c68f505cf93fd110912c
Instruction Fuzzy Hash: 35121275A04216CFCF14CF68C8906EEB7B2FF89304F299199D481AB3A5DB359D42DB50

Function 00EA2426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 00EA249F

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 71c87f43732f4a5eef838a1370a9a949ab7480764d82b44bd47e14c713c96483
Instruction ID: 83b6574daf44bfad65b1fe784443fa0728bb9e27f12b319d7d2f29275cfd0d7a
Opcode Fuzzy Hash: 71c87f43732f4a5eef838a1370a9a949ab7480764d82b44bd47e14c713c96483
Instruction Fuzzy Hash: EE127C75609AC18FE3158B38C591392BFE1AB6A304F1CC9ADC4EACB387D63AD5068751

Function 00EB5620 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00EB5655

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2906481384
Opcode ID: f91a51f3176c1a61b08989adbb9e89ddfea85a9930abd68afb3d88ba324e693b
Instruction ID: 1d5d980e97d3b075096ab37f9f58f5d874d6f4013632e5ddfc2fb8633a9d7fe0
Opcode Fuzzy Hash: f91a51f3176c1a61b08989adbb9e89ddfea85a9930abd68afb3d88ba324e693b
Instruction Fuzzy Hash: AFC1B2B54693D5AFDB975F3084912A37FA0EF4B71936661EEC9C38E423C2219443DB82

Function 00E8BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 00E8C360, 00E8C364

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 8c95f307fe14cd41c378082a3cff3eebbde7ba37754f4c4cc52de381f0644a51
Instruction ID: d36b62a966c654a6f533a03f1756fa4ed6f4ddfd410eb067f365514676614101
Opcode Fuzzy Hash: 8c95f307fe14cd41c378082a3cff3eebbde7ba37754f4c4cc52de381f0644a51
Instruction Fuzzy Hash: E09134756193008BC3149F28D89126BB7F2EFD6364F28E92CE4D99B391E774C905C792

Function 00E86ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00E87069

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 7296c32b25c40a5f0fa340b1823ddfa0ecc921b1b5c4066cb483ceb2b3f42ad4
Instruction ID: a83a764b1ee95b4ce6393baea853bb7bf6d3b31fff9b9f1d20ea68d4d6f215d6
Opcode Fuzzy Hash: 7296c32b25c40a5f0fa340b1823ddfa0ecc921b1b5c4066cb483ceb2b3f42ad4
Instruction Fuzzy Hash: C1B187B15093818BD331CF25C8917EBBBE1EF96318F18991CD4CD9B291EB348446CB92

Function 00E7DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 00E7E295

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: 02f80014a03478f0b729d48af9dfa3268790a60367f22a33b6e2a9497422470f
Instruction ID: fbf94089845ca4edec2f79a6b8cea75ef20bb6e11ec7df4e682da042df6e1ec7
Opcode Fuzzy Hash: 02f80014a03478f0b729d48af9dfa3268790a60367f22a33b6e2a9497422470f
Instruction Fuzzy Hash: E59123B1604B418FD315CF29C990662BBA2FF9A304B1996DCD0D69FB56C738E806CB91

Function 00E97070 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

@%h, xrefs: 00E96956, 00E97085

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h
API String ID: 0-608267615
Opcode ID: 76da8608dfa62e490882a408e88c3b17b8e52832ae12bf1a2cdd63ce5e842ace
Instruction ID: 0968efab77c645ea5145b1ed3704e0b1ee48de229d202b5288fcbc130d0bf7a2
Opcode Fuzzy Hash: 76da8608dfa62e490882a408e88c3b17b8e52832ae12bf1a2cdd63ce5e842ace
Instruction Fuzzy Hash: E4913235A05205DFDF19CFA8C890BAAB7B2FF89304F698198D102BB361D735AD46CB40

Function 00E76000 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00E76169

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction ID: 339c17dff3eac3bff8706a3245362f90ab2bb1b44c12485fe44c9c0eb21f30ab
Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction Fuzzy Hash: B2B149712097819FD325CF28C88465BFBE0AFA9308F448E2DF5D997342D231E918CB96

Function 00EA3930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00EA39CA

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 47376f7036387a0d83bc181f7765040e498ae2fb9f1d5c9a4399fb6dbdba4f73
Instruction ID: c140af36ad0e6b04f83f14ffbfdccb7a2ff0161d3cd63b10c176e11250cee8fe
Opcode Fuzzy Hash: 47376f7036387a0d83bc181f7765040e498ae2fb9f1d5c9a4399fb6dbdba4f73
Instruction Fuzzy Hash: DA813333759A900BD328993D4C612AABE830BDB330F2DD76DB5F6AB3E1D5688D058350

Function 00EB2A60 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

@%h, xrefs: 00EB2A77, 00EB2B28

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h
API String ID: 0-608267615
Opcode ID: f1d431632e11d6d5276e464875e2dadebf31848f0a26306b0e4359a9317a2d2a
Instruction ID: 65c19c24c19734f2d6b4d819852b8db304e50bdfcc9288e9e705e124363eddfd
Opcode Fuzzy Hash: f1d431632e11d6d5276e464875e2dadebf31848f0a26306b0e4359a9317a2d2a
Instruction Fuzzy Hash: 7481A1352053069FC724DF18C890AABB7E1EF89354F14962CFA95AB3A1DB31EC55CB41

Function 00E9D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 00E9DA2E

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 9a4603c22318e367dba667123d20eddef2882a912edced7f529aeece32d02086
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: F8711532A0C3254BDF24CE2CCD8031EB7E2ABC5724F29A52DE498AB395D274DD458786

Function 00EE3DCA Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

x/\, xrefs: 00EE3E8A

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: x/\
API String ID: 0-3771386907
Opcode ID: 18baafe2cd7040f4bae019a89c60c365d5e551e14344267056e67d303b805623
Instruction ID: 76d8add7648004b2d1e4e3a107b92ef60727abbeedd5602da08d291e47cff28f
Opcode Fuzzy Hash: 18baafe2cd7040f4bae019a89c60c365d5e551e14344267056e67d303b805623
Instruction Fuzzy Hash: 106109F3A0C7009BE348AE39DC9577AB7E1EF94320F1A893DDB8587784E53949018746

Function 00E8A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 00E8AA58

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: 93225ad31fe8cced1f69ac54cc5d9272f09f0afd726f3d80bfd8733f33358850
Instruction ID: 21b1470ea8b45cf417c18e24cef99b6577cba3b7574f9c24e06d344bb25b324e
Opcode Fuzzy Hash: 93225ad31fe8cced1f69ac54cc5d9272f09f0afd726f3d80bfd8733f33358850
Instruction Fuzzy Hash: E85125B0511B008BD7289F25C8616B3BBF1FF42349B085A6DC4C79BB41E738A908CB91

Function 0130A1A3 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

;6oV, xrefs: 0130A235

Memory Dump Source

Source File: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: ;6oV
API String ID: 0-1189460535
Opcode ID: afed33c7b2a61b646bb1147f5777ad8c942ebbecf19e074a7e1af2f6536e2061
Instruction ID: b7821a30d5690829200ec82e6aa65145e523b81100179c16de55849aa61b4c74
Opcode Fuzzy Hash: afed33c7b2a61b646bb1147f5777ad8c942ebbecf19e074a7e1af2f6536e2061
Instruction Fuzzy Hash: D041B5B360C200AFE309AE09EC81B7AF7E5EF95361F16853EEAC5C7750D6355840CA96

Function 00EAC9A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@%h, xrefs: 00EACAC7

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: InitializeThunk
String ID: @%h
API String ID: 2994545307-608267615
Opcode ID: 466c38f712c6653e0e1705b6a6a3a9b7d67c72111b03b54c62e93fa1c47ea044
Instruction ID: cd26f9ae7442a5fca0b5ed6bf3a372be231a3b6d5f7f4421469fa2748436468f
Opcode Fuzzy Hash: 466c38f712c6653e0e1705b6a6a3a9b7d67c72111b03b54c62e93fa1c47ea044
Instruction Fuzzy Hash: 73411771A053145BD7149E64DC41B6B77E8EF8A708F20A42CF986BB251EB32FC048792

Function 00EAF0E0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

@%h, xrefs: 00EAF106

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID: InitializeThunk
String ID: @%h
API String ID: 2994545307-608267615
Opcode ID: cce402f6b8d86487c42d4fa6c1087344cb27c7a00dd446f4a7a2bb81b4d1d8b9
Instruction ID: c050c0826ef4edcb9780ca58d57ecaa4c2a43a4ef2ff51c26f4149263c303004
Opcode Fuzzy Hash: cce402f6b8d86487c42d4fa6c1087344cb27c7a00dd446f4a7a2bb81b4d1d8b9
Instruction Fuzzy Hash: A2F0D172505208AFD2204B89EC80C3773AEEBDE72CF201328F454371A2A322FD1086A0

Function 00EB042D Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

7&'$, xrefs: 00EB0445

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: 7&'$
API String ID: 0-2529063906
Opcode ID: 98cc1de475d91c494383217ee09ed14f058653265daf1a9d06bd0cbac66e5e20
Instruction ID: f6dd27d6ad3ddc0eed77b24ebb990a61657c0d47262c72afca8a36d96ee0d7da
Opcode Fuzzy Hash: 98cc1de475d91c494383217ee09ed14f058653265daf1a9d06bd0cbac66e5e20
Instruction Fuzzy Hash: 28F068305145444BDB518F3D98996FF67F0E753228F302BB4C6AAF32A2C670D8814E04

Function 00E88672 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

@%h, xrefs: 00E885B0, 00E88617

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h
API String ID: 0-608267615
Opcode ID: de41a6946b4eff381ca933349049142634426053750e0a857faa32111f89073c
Instruction ID: 85f87d53a85c55258e4618a8366fe6c2d24c315ada2a7358cfeebc8aabb726d5
Opcode Fuzzy Hash: de41a6946b4eff381ca933349049142634426053750e0a857faa32111f89073c
Instruction Fuzzy Hash: 75F08234906100CFC728EF1A9F904367361F74A3117A03665C80EB31B8EF30B859DB09

Function 00E9B652 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

@%h, xrefs: 00E9B6D6

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID: @%h
API String ID: 0-608267615
Opcode ID: d6daaefab57378ddbd9c099157624d012c4d16b2f2952ee7bcbcbcb65e571636
Instruction ID: 1340699b52c707bbba743e5f368d0642d1c90073701bf3f507b7c42006358839
Opcode Fuzzy Hash: d6daaefab57378ddbd9c099157624d012c4d16b2f2952ee7bcbcbcb65e571636
Instruction Fuzzy Hash: FCE08C74A09201DF8E288F16FA91536B3A1EBA6709F647A2AD04677125E320BC55C616

Function 00E72EF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b55abc481bcf8c7186b9b79201149386000a02e344ef36b0877cd17f8cb6743
Instruction ID: 2b8fdb22dd1e625ed582c9314247464519d4c382485a00ca5af4634ebaae9e13
Opcode Fuzzy Hash: 1b55abc481bcf8c7186b9b79201149386000a02e344ef36b0877cd17f8cb6743
Instruction Fuzzy Hash: 7752E2716083458BCB59CF24C0906EABBE1FF84318F18DA6DE89D67352D734DA49DB81

Function 00E76850 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffb0090b3cc6b710abc1cc3d590d5cb4278fe3cc8f0164b23891b71953166a2
Instruction ID: 3cdabf3afed10a54c32dcb8dde183d195c544c1c4ee6e0f8c5a89f1c32bfe2a7
Opcode Fuzzy Hash: 7ffb0090b3cc6b710abc1cc3d590d5cb4278fe3cc8f0164b23891b71953166a2
Instruction Fuzzy Hash: 5D52D270A08B848FE735CB24C4943A7BBE1EB5131CF14E82DD5EF26A82D379A985C715

Function 00EA080E Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9789c37e942221334db292d499e9351ad60230b463bb2085d3b2761d682ef7d9
Instruction ID: c3aef19e4dd09ad3642f917f05eb60e8c9e3fdc17c8c6297bbf4aedd10d6886d
Opcode Fuzzy Hash: 9789c37e942221334db292d499e9351ad60230b463bb2085d3b2761d682ef7d9
Instruction Fuzzy Hash: F042B3B0505B809FD315CF39C996793BFE1AB56314F18CA9DE4EE8B382C239A445CB91

Function 00E77620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: dfd83b92f67d22bd9f7c80bcd33aee44c65172a6880e30b1f8bf2d2bc3ec0516
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 7512B532A0C7118BD735DF18D8806ABB3E2FFC9319F19D92DD9C9A7285D734A8518782

Function 00E73900 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6619416fe888c2e95db84fd272e16a836aa7b1c66908daf7199a1c874770d166
Instruction ID: 2c384bb387383f51d06ab8ed7c8a0aba990f1f5a189687bccd6329102e618b3f
Opcode Fuzzy Hash: 6619416fe888c2e95db84fd272e16a836aa7b1c66908daf7199a1c874770d166
Instruction Fuzzy Hash: FE323470914B118FC3B8CF29C580566BBF1FF85710B609A2ED69BA7A90D336F945EB10

Function 00EB1B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a9f69b98d698c5adc8e09fad9578de06a2f860a1bf7afe20908b33a428d103
Instruction ID: a4b4c871e8fce88c97f10844631a62bdc2191ebeb017f966eb9c79cd72a125a5
Opcode Fuzzy Hash: 25a9f69b98d698c5adc8e09fad9578de06a2f860a1bf7afe20908b33a428d103
Instruction Fuzzy Hash: E8E1DF3160D341CFC308DF29D8A066BB7E2FBC9325F598A6DE586A7251D734E909CB41

Function 00E7E9B0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5940479fc794b2d4848e0b26f43b85fc6035a76b1bf1a3664e4a5f281ea061b8
Instruction ID: a4aefebb9ff87bdf591071d7229719bbf75a05635b5c78722e53dada9710d9e1
Opcode Fuzzy Hash: 5940479fc794b2d4848e0b26f43b85fc6035a76b1bf1a3664e4a5f281ea061b8
Instruction Fuzzy Hash: 26121BF0900B00AFC360DF39D946797BFE8EB4A360F144A5EE5EE97285D73161058BA2

Function 00E75AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: 15aa1c1064350ddcf547a67312559e702e089edd42b4f96f1d62630355f7b40b
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: 60F1BC366087418FC724CF29C88066BFBE2EF98304F48982DE5D997791E775E845CB92

Function 00EB1BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e330eb3ebfbd3538980747e2348639284598de86e87c586dd0783e20f6a11f35
Instruction ID: 133d13ffb0839658febc6288c063a1b4bb00e52ecb08e73616307ccd7c041d01
Opcode Fuzzy Hash: e330eb3ebfbd3538980747e2348639284598de86e87c586dd0783e20f6a11f35
Instruction Fuzzy Hash: AAD1ED3161D340CFC308DF29D8A066BB7E2EBC9325F598A6DE986A7251D734E909CB41

Function 00EB1C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9cc4d93a584460cb95a5071f1a9f922e47dad608ff02dd824e57cc64ef4927
Instruction ID: 9b07c82a469555a2020f177dca278ea69f3af0c7033fdc132681ab9d16c1c950
Opcode Fuzzy Hash: aa9cc4d93a584460cb95a5071f1a9f922e47dad608ff02dd824e57cc64ef4927
Instruction Fuzzy Hash: 40D1E03161D341CFC318CF39D8A066BB7E2EBC9315F598A6DE886A7291D734E909CB41

Function 00EB768E Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2455d8322ef7e27546f48edbafa5979a4259dcd2ede4ece28a005c771acd183
Instruction ID: 51edd0aa1b727ec08fd97218a41d6bd7bb619b8465ab62f5fad050dd4cf49d51
Opcode Fuzzy Hash: b2455d8322ef7e27546f48edbafa5979a4259dcd2ede4ece28a005c771acd183
Instruction Fuzzy Hash: 73D1B0F3E086108BE3145E29DC8536AB6E2EBD4320F2F853DDAC8977C4D97D59068786

Function 00E8D400 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44aca0937c3abd8b0bf346591daf16cf2a3d240e911c765027d6ec8946fe1165
Instruction ID: 44831445e713fac07bb778230f0e7253e902a8ee2518c54bbd1d2c2cbf37ee2e
Opcode Fuzzy Hash: 44aca0937c3abd8b0bf346591daf16cf2a3d240e911c765027d6ec8946fe1165
Instruction Fuzzy Hash: 32C1F171548300AFD719AF24DC41B5BBBE2BBD8364F149A2DF49CB72E1D77298188B42

Function 00EA2B24 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: 10198fd16b0e1e2900df07468e28fa7eed02aa08f4de18599980134874d3d181
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: D7F12971605B808FD315CB3CC8913A6BFE2AF9B314F1D8A6CD5EA8B392D635A845C711

Function 00EA54C4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c8657c3e3850c53c15613d020970cade748e9fc05d6083420a5703aadc0489
Instruction ID: 4fbfd2770db288d3822af93da755775aef102501a29ab5be2f63a759c0429c25
Opcode Fuzzy Hash: 53c8657c3e3850c53c15613d020970cade748e9fc05d6083420a5703aadc0489
Instruction Fuzzy Hash: 2AF19B62625AC18FE3158B3DC811396FFE2ABA6304F1CCAAED0D9CB787C12DE5418755

Function 00E821DB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction ID: a1d6ddfac6f50d36f236253be7d8a51906985c24c253d6ccae493342b362f864
Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction Fuzzy Hash: 9AC1F6B5A04B408FD724AF38D8D13A6BBE1AF55314F18993DD5EF8B382E635A405CB12

Function 00E8D0C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63977223488059f2a97f333a589682eb7f34994d2e81802cc55b693fc3a60f9
Instruction ID: ed0a78ed1ab04b606bcbe4039ca7901898e111d9d480ee57eb4aa3287e93d262
Opcode Fuzzy Hash: a63977223488059f2a97f333a589682eb7f34994d2e81802cc55b693fc3a60f9
Instruction Fuzzy Hash: 3491393260C2614BC7168E2888916AFBBE1EB95324F19867CE8FD6B3D2C2349C05D7D1

Function 00E763C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: 1a745728f1d465ac63e19f7521c1a67b5febd1616d2484a22f68d7cdcd498d5d
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: 7EC16CB29487418FC324CF68CC86BABB7E1FF85318F08892DD1D9D6242E778A155CB46

Function 00E98B67 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3d77a275b374d9713c68f71349611719a02e4a67f35508646328e1ce982a12
Instruction ID: ba8bcc48264d219b62819f24bf08ffa726f74e1d85e763a3940146e5b112405a
Opcode Fuzzy Hash: ab3d77a275b374d9713c68f71349611719a02e4a67f35508646328e1ce982a12
Instruction Fuzzy Hash: EFA12731608391CFDB248F399CA135A77E2AF86320F18876CE5A5A72E2DB749914CB51

Function 00E78360 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e654d6461acd743fb099028870fad53b411be2650fd94ba6d6a716d91dc103
Instruction ID: 2d789473044aeb78f7af94d033ce133abe2384439443ca9a2ce55af6e9f84a19
Opcode Fuzzy Hash: c1e654d6461acd743fb099028870fad53b411be2650fd94ba6d6a716d91dc103
Instruction Fuzzy Hash: DD917F31A4C3525BC3119E28C58829BB7D29BE1310F18DA69D8D9A73A9FE74DC4587C1

Function 00EAF820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction ID: 93f94fa091c1084e7881441b73836fa92edec73c977f3ff11218b2a8710a237b
Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction Fuzzy Hash: 6C81C63160C3928FC319CF68C49066EBBE2AFCA314F18867DE4D59B351D635E846C752

Function 00E99ADE Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250f2044f49c86ca6160964ab4b96e1592012d8994d9a0cca82dc7dad9b80a0a
Instruction ID: f08d691de1f9c439088aac7025e9d21ba666f225c46f89b93fdfac69da85c880
Opcode Fuzzy Hash: 250f2044f49c86ca6160964ab4b96e1592012d8994d9a0cca82dc7dad9b80a0a
Instruction Fuzzy Hash: 3C7138B2A087148FD7198F29D85133BB7D2ABC5304F49967CE996AB393DB349805C782

Function 00E9DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1356d87b448f865f98072458d266cd5fb097d971452f1f81154fd38cc227ace4
Instruction ID: baec2b7c727fd9ca96715f6b13963be2c6bda5906ea7e8fa3732e91391d64af3
Opcode Fuzzy Hash: 1356d87b448f865f98072458d266cd5fb097d971452f1f81154fd38cc227ace4
Instruction Fuzzy Hash: AC71BCB450D3D08BDB358F26999839BBFE1AFA3308F185A5DD0D91B292C735480ACB57

Function 00E7CFEC Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5167590219da9bfe93ceecc7b898bee120a1ad835f9d56f9ebdd055897969f
Instruction ID: 02288a5296fdfe05d443e12f0829b36c3c024a4aa70c8d0b717336d63a040308
Opcode Fuzzy Hash: 4e5167590219da9bfe93ceecc7b898bee120a1ad835f9d56f9ebdd055897969f
Instruction Fuzzy Hash: 045179726057008FD329CF38CC82667BBE3AFD6314B1DD66CC4965B796EA35A406CB50

Function 00EA7B69 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e848d4d7a6764e75e98273d57cc0e77140ce4d6bb8f0c6766e149f1ab06c6c85
Instruction ID: 9664013a5357bcec9c79683d0350231780c74a8178b7fb49414dfa373d3191ba
Opcode Fuzzy Hash: e848d4d7a6764e75e98273d57cc0e77140ce4d6bb8f0c6766e149f1ab06c6c85
Instruction Fuzzy Hash: 9791A3B1E042548FCB18CF6CC89179EBBF2AF89310F29829DD859AB391D7759C01CB91

Function 00E8DCB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b049b59dd94de8e6988f4c90a8aeec25b903ab842e4989fbe9ae4fcf7b28106f
Instruction ID: ac1ffb42e2b50b4ee076fa427352179cbdf7a63f702955678660aef15e6e3ece
Opcode Fuzzy Hash: b049b59dd94de8e6988f4c90a8aeec25b903ab842e4989fbe9ae4fcf7b28106f
Instruction Fuzzy Hash: 7861683374DA804BE328993D5C513AABB834BD6334B2DD77EA5BD9B3E5C9A548058340

Function 00E8A690 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc9b6a236ac6cccd64b94998182dcb045feddf0ba41835bb652e6a7594eae34
Instruction ID: 67b4b5d4b04f848114fc5269de8621bfa0c7f0556a02236a159619f3ebfec60f
Opcode Fuzzy Hash: 1dc9b6a236ac6cccd64b94998182dcb045feddf0ba41835bb652e6a7594eae34
Instruction Fuzzy Hash: 11610433B258904BA724993D8C052AA7A130BD633473DD37BE97CEB3E9D6268C065391

Function 00E9BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 650d0630931492b6fd812ca88827ad182e3f382fe58aeed02ffeb3f9a4ff6144
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 8E61F4716083154BDB249E2DE9C026AF7D6ABC6738F19A72CE4B4AB3E5D7309C418741

Function 00E8B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6824241eec11dfcb4b1e473ed272bbbfd7816adbce02388acd067f4a04b7ca6a
Instruction ID: 5c317f1d4be42c737317e510799c94c4a4aa669105ffff2f6cc3c0c2ab5bcce9
Opcode Fuzzy Hash: 6824241eec11dfcb4b1e473ed272bbbfd7816adbce02388acd067f4a04b7ca6a
Instruction Fuzzy Hash: BF415B326547414BD32D8B35C862373BBD3ABA2304F1C946DC4DB9B752E739A40B8710

Function 00EA74AB Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf4f7ba4429379747305c1b8ad38765b53e9a10ab7e18e4890ef5a459d5ab72
Instruction ID: 0c263440cb368bec33eb25a266f7fcd155d71590533f881460ab5698d9e25807
Opcode Fuzzy Hash: ddf4f7ba4429379747305c1b8ad38765b53e9a10ab7e18e4890ef5a459d5ab72
Instruction Fuzzy Hash: 5071B771E046508FC718CF6CC85135ABFF2AB99314F2982ADD8999F3D2D6759C06CB81

Function 00E8B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da48e78b30f6f4c19d8ec3e0202e7bd294a147d67af3c41cc6d17edf38e62bdc
Instruction ID: ee69593a51e0deba99e35ff63d57129ef0f4eb10d876b8204071e0b7aca6a546
Opcode Fuzzy Hash: da48e78b30f6f4c19d8ec3e0202e7bd294a147d67af3c41cc6d17edf38e62bdc
Instruction Fuzzy Hash: 87413B726187414BD32D9A35C8623B3BF93EBE2304F2CA56EC4DB9B652D739940B8350

Function 00E7CA62 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9eee6ddcf50cc7cb065ec4140e612896c4a108176337ba8ed978c6155ba751f
Instruction ID: c54b4a3c7726ce0d0bdb32e4de5c68194830460fab84020be8bd7e74f585c8e2
Opcode Fuzzy Hash: e9eee6ddcf50cc7cb065ec4140e612896c4a108176337ba8ed978c6155ba751f
Instruction Fuzzy Hash: 795106766483118BC718CF65C89266BB7E2FFD8304F59D92DE4CAAB390DB7498018786

Function 00EA5D13 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6c6ac24f386206481496c1245231a1ad86904e1827748a42af830533f4df9e
Instruction ID: 78d911f2ab887315a35d456a4a43d569e383f8f9e18e18ba9daf272f51b81586
Opcode Fuzzy Hash: 8a6c6ac24f386206481496c1245231a1ad86904e1827748a42af830533f4df9e
Instruction Fuzzy Hash: 44913B21208BC28ED7268A3C88586557F915B67238B2C87DCE0FA8F7E7C657D107C766

Function 00EA443D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bfc27d9988f1d6b89e48b1bb008290cb1bedc4092a1afa99f4f6d6bf8332c54
Instruction ID: 95d73cf61459bc1bd346475d83c73d402172a8cf9473ae75df295bbed00c6aca
Opcode Fuzzy Hash: 0bfc27d9988f1d6b89e48b1bb008290cb1bedc4092a1afa99f4f6d6bf8332c54
Instruction Fuzzy Hash: DC912D11208BC28EC326CA3C88586557F925BA7228F2D87DCD0FA8F7D7C7669507C766

Function 00EAACB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: a2f3545837cc26e47ee36cd24a49c48d9edf98d649eff1f758904669b2a49b55
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: EA516CB15087548FE314DF29D89435BBBE1BBC9318F044E2DE4E997350E379DA088B92

Function 010288D4 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dfe44073e9f9dee111f8525a7e3ae547a1080fc49c5f949285eee9055d68bb
Instruction ID: d9312015e7a772d4aa6538670a9d8f8142e3e651099d2278f541684e87982733
Opcode Fuzzy Hash: d1dfe44073e9f9dee111f8525a7e3ae547a1080fc49c5f949285eee9055d68bb
Instruction Fuzzy Hash: 8161B3B3E1122547F3540E28CC543617793EB92314F2F82B88E9C6B7C6D97E6C4A9384

Function 00EB18A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae24368249f2ac9b8cbc43ce372cffd54ef269d83ed1f2936b10dbfdb48f1ad
Instruction ID: 63f0c0228de06d037e94c89dd2bf85e7e87c6d10b480a4bb7f1e1fad6cd54b0a
Opcode Fuzzy Hash: 1ae24368249f2ac9b8cbc43ce372cffd54ef269d83ed1f2936b10dbfdb48f1ad
Instruction Fuzzy Hash: D6510235A1C251CFC7109F25E8A02ABB3E1FBC9369F4A89BDD58967350D334D98ACB41

Function 00E72210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f560dc7507b115fc64581cb526b19d322a7005de075ca9a4f9b2b7e188851ad8
Instruction ID: 7d3f9cbd26e2e2fb738cb6854c0b670830e33775ca2fc0eb688516a1b9a64f83
Opcode Fuzzy Hash: f560dc7507b115fc64581cb526b19d322a7005de075ca9a4f9b2b7e188851ad8
Instruction Fuzzy Hash: 8951B0B19047029FD3209F289C4471BB7A5FB85334F14872DE9A9A72E0E334E919CB86

Function 00FB49FE Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d75d4c3d4a8ed30ffc29a4cbcc51968913a19729912e6a582d0baf4e614e1cf
Instruction ID: 2a52f42ecfe82a2e53d2eac41079d2f683294bed26fad0460b11befca97380a3
Opcode Fuzzy Hash: 1d75d4c3d4a8ed30ffc29a4cbcc51968913a19729912e6a582d0baf4e614e1cf
Instruction Fuzzy Hash: F65183B3F102154BF3504D78CD583527A93E791314F2F86788E88ABBCAD97E9D0A5384

Function 00EA6610 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1270ae269f1d2dbf933cb376dd897a634806c0e491c0fbfe498512659dce344a
Instruction ID: 8b0e168c4db6314361aadcf59513bb528f8f8ce6c9245cec1332d9dd2141e47c
Opcode Fuzzy Hash: 1270ae269f1d2dbf933cb376dd897a634806c0e491c0fbfe498512659dce344a
Instruction Fuzzy Hash: 0F5125337599A04BE3288A3D5C223A67A834FDB238B2DD76EF4B19F3E5D5598C054340

Function 00EACB40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 4968b77150b01fbd92a5288f9eb640fbb797a75c2e833df0e515e30d98c5d1b9
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: AA51B573E159304BD7249D7D9C8129ABA926B86330F2A8339ED79FB3D0D6349D0183C5

Function 00EB1FB0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80907fe5c429dedca408ffd22f32c08de5782c1144c2042222d4f61f4dddcf13
Instruction ID: 23160e8844747af7128a8e4056921f7103f5941c7b5bc2bd94317dc478884aca
Opcode Fuzzy Hash: 80907fe5c429dedca408ffd22f32c08de5782c1144c2042222d4f61f4dddcf13
Instruction Fuzzy Hash: 9C51F13161E240DFD3488F38D8A066BB7E2FF85319F588AACD5C6A7291D335D81ACB41

Function 00FE04E5 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59832d952fa9937bb82f57ba738498074843dc3188636404210effe0ba170281
Instruction ID: 0466790a38fca9ebec2de72f5181f7b18ed132c1a1093553defdc8a27c35242d
Opcode Fuzzy Hash: 59832d952fa9937bb82f57ba738498074843dc3188636404210effe0ba170281
Instruction Fuzzy Hash: 9341F3B36086108FE350AE2EDD447BAB7E6EFD4320F16893DDAC487748EA3548458793

Function 0101C048 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd99b79f0792d31395382de87b56b1d954cd90b30ad0897e733f59ed72dafb6
Instruction ID: 258dc98d5dde79ff7816f12d806367e0159a0ed9cca5089d7a2a9a64b94b31ab
Opcode Fuzzy Hash: bbd99b79f0792d31395382de87b56b1d954cd90b30ad0897e733f59ed72dafb6
Instruction Fuzzy Hash: E5410BF3A0C2005FF319AA19EC8577AB7D6EB94310F1A463CDBD9873C0EA3954118686

Function 00F49CE8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831656eb9ff72fb80e4ee73374b0cd11317459f80b28255a10727f537d4fd390
Instruction ID: 0c68cdc45256feac7e2ec8e5e4455dd863aebf14d2fc11c6639ad22a0ca9b049
Opcode Fuzzy Hash: 831656eb9ff72fb80e4ee73374b0cd11317459f80b28255a10727f537d4fd390
Instruction Fuzzy Hash: 2941E9F3D087105BE304AE38DC8132ABBA5DB94320F1A863CEED997384E975580587C6

Function 00E7A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480e5e9eabffd98f2806b76bb765c0eb230277f8d54e752370bbf51403437ada
Instruction ID: 7f6532ab5c141cee4f4ac59024d98cf3307bee21f5475e8778e5084027a95399
Opcode Fuzzy Hash: 480e5e9eabffd98f2806b76bb765c0eb230277f8d54e752370bbf51403437ada
Instruction Fuzzy Hash: 02417E73B105518BD32CCE28C8A23AAFBA2FBCA314B1E923DC995A7744C7789C0147C0

Function 00E8B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd817fdad7c3586c1eb6d2b0ff9d0f9227671ea22d6a7c01ae00a9b1c12b492
Instruction ID: fb56f7f70a55cbb0fcb32b1140d92c6ea6adb16dc68a350930e515aa4eb2f876
Opcode Fuzzy Hash: 3fd817fdad7c3586c1eb6d2b0ff9d0f9227671ea22d6a7c01ae00a9b1c12b492
Instruction Fuzzy Hash: 2E3134312047808FCB288F39C4613ABBBF1DB5A314F28596CC1DBA7792C379A846CB10

Function 00EB0BAB Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978b1baa5b33671e0fcc49c2f4b47d8d39c0fb6268ccd3187ff8987640371a9f
Instruction ID: ce5061e6cc75fefd9d091f300247f8732fcaea4aae366c3d3baff51ebd1dcfa5
Opcode Fuzzy Hash: 978b1baa5b33671e0fcc49c2f4b47d8d39c0fb6268ccd3187ff8987640371a9f
Instruction Fuzzy Hash: 453146605146928FDB218F34C8A27F7BBB0FF87314F145759C8C19B685EB78A982CB81

Function 00E8AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb157d702dee01a8a41e1008384ad3f00ba82813377417efe2e5fe319eb4f975
Instruction ID: 8144db14b47493c765e5d2279bb1b3377f94055454759d0e249c74a9612e48bc
Opcode Fuzzy Hash: bb157d702dee01a8a41e1008384ad3f00ba82813377417efe2e5fe319eb4f975
Instruction Fuzzy Hash: F92128705086829FE7268B34C8507B3BBA5EF53308F1C24AED1CBD7243E725A509C761

Function 01084F52 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185eae16c7c2f3de3d5b9416c12bccc19c30e3b5d475aacf3f8af505f1cb6a33
Instruction ID: c69fb9f1ecf796518c0f82d71999c293e853716f4539b95576c08a2f1fb4c033
Opcode Fuzzy Hash: 185eae16c7c2f3de3d5b9416c12bccc19c30e3b5d475aacf3f8af505f1cb6a33
Instruction Fuzzy Hash: 6A216B73D2D530DBDE18342C8C612BEB69AAB94231F27072EDDE3A33C0E8644D0246C6

Function 00E72B20 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1df713c182b1002a041add34f13380869d3fd366692870faa24d90072d6342
Instruction ID: 9d26bbc949d84d8796973de2ce98e1e0a2c36c1fa3b9eb0820e12c41a4aa40e1
Opcode Fuzzy Hash: 4b1df713c182b1002a041add34f13380869d3fd366692870faa24d90072d6342
Instruction Fuzzy Hash: AC21D1742581B10BC718CE3DA8F0477B7A4DB8731272A676FEBC6A3392DA149C58D760

Function 00EA8520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 2b3efdebb07dfa1788ce8f8d7a4e8033b28bb1f82e1f2b06f7a4c3d418be940c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7211C633E051D40EC3168D3C89405A5BFE31AD7634B1D9399E8B4AF2D2DA22DD8A8354

Function 00E9BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction ID: 194b062360229f920a272bd0a536ebd5d27062b474edb10b5a0ce62631ad6b34
Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction Fuzzy Hash: 2F01B1F1A0170197DF209E10AAD4B3BB3E86F91B08F18A42CE84867286EB71EC05C295

Function 00E8B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b474c2bf208cfd74eddb9caded6df2e8da91ed8c3803edf3e7f736cf9bc5e38c
Instruction ID: 3a9ccc4e2bc0d20ca205e789187b6823a75c7bcc5349aa6b81b1d2d27317bb52
Opcode Fuzzy Hash: b474c2bf208cfd74eddb9caded6df2e8da91ed8c3803edf3e7f736cf9bc5e38c
Instruction Fuzzy Hash: 4711E631104B508FD7288F25C828377BBE19B56318F199A5DC1EB977D1DB7AE109CB40

Function 00E8B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: 9abc4fde3cd5cf194ab7fa366d664ecbdf09020250513605b164a0a0ccae994a
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 4B0171201082828FD7129F2894607A6FBE0AF63314F18A6C6D4D99B283C3649945C7A5

Function 00E7C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837476e772166328b9ee64d6e56af0731c3f7ae240e8c30b94d05313b68935f8
Instruction ID: 9a3ef7016788c293a1fd19bd97f2f421c595e1c40c1073cf614cbdc4fbc48e71
Opcode Fuzzy Hash: 837476e772166328b9ee64d6e56af0731c3f7ae240e8c30b94d05313b68935f8
Instruction Fuzzy Hash: 1F11483028C3808FD7148F68D9D576BBBE19BD2308F349A2CE5D127292D3F5890987A7

Function 00E8B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: bf654de077ead7dda79eebcba234b0fdb791da36823d4aa36b11ff035d4f2fff
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B6018F201082C28FE7129F2884207B6FFE0AF63314F18A6C6D0DD9F283C3689945C7A5

Function 00E8BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction ID: bab871ce8e4d98a2dc51f7309829220c6fc90440e163d20a15e88207051995b1
Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction Fuzzy Hash: 3701F2605042828FEB128F28D450766FBE0EF63314F18A6DAC4DD9B283C375C845C7A5

Function 00E8AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 47ebf949d1aa30231f2db569a73ad5469792ddfc907cb904ff68bd6704d318a6
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: 0B01A2201082C28FE7125F2884207B6FFE0AF63314F18A6C6D0DD9F1C3C3698945C765

Function 00E79E09 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1209768337e071d29993732debc56b78d524d9d4f5cf86c00b17b8f7c5976b97
Instruction ID: af4d4c4809860698926d97db604e0512c361e0709cbbb1db0d473a4245eccf4d
Opcode Fuzzy Hash: 1209768337e071d29993732debc56b78d524d9d4f5cf86c00b17b8f7c5976b97
Instruction Fuzzy Hash: 9DE09A349145058FC708CF48C86267BB7B0EF8A306F14B459D982FB760E3349D01C768

Function 00E7CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650a35f9569e2c835b199a325f56a6c8c12af386db75808be30bb4d9c498ed8f
Instruction ID: 21f2455a44c289d9216c667eae09fc98f66ca2bb61b00f0561577034eb0826fe
Opcode Fuzzy Hash: 650a35f9569e2c835b199a325f56a6c8c12af386db75808be30bb4d9c498ed8f
Instruction Fuzzy Hash: A3E092302596008FE21AFB11D95547BF3F2AFD2344711F85D918B37A92CE60BC05CB56

Function 00E8F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: fa4ab69ee5f37e8a8bf7054bc6374fafb28c5597fe9439c950053d09827c5711
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 5DD0A7715487A10E9759CE3804A0477FBE8E947626B1824AEE4D9F7115D220DC014798

Function 00E7D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1243750477.0000000000E71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true

Associated: 00000000.00000002.1243737091.0000000000E70000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243784879.0000000000EC5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000112C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000115F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1243798763.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244137768.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244260609.000000000130A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1244302608.000000000130B000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e70000_P2V7Mr3DUF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a95c75688890de87d0786b02c98133044cf5cfb7552863a916f7b9b7faada1
Instruction ID: a31a9f4fd0edd7940027f6191ba4b58754394f47784bc6dbb931818d015d4022
Opcode Fuzzy Hash: 69a95c75688890de87d0786b02c98133044cf5cfb7552863a916f7b9b7faada1
Instruction Fuzzy Hash: D3C04C2576C0008F9249CA16AC5057366769FCB254714F119844A73695E2309456850D

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P2V7Mr3DUF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
P2V7Mr3DUF.exe

Function 00E7B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Function 00E78880 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Function 00E7AA36 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Function 00EB02C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00EB0260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 00E7AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Function 00EAEB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 00EAEB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON