Edit tour

Windows Analysis Report
NvOxePa.exe

Overview

General Information

Sample name:	NvOxePa.exe
Analysis ID:	1586672
MD5:	8c009fe6cb49e086b63c4b385f5a7af9
SHA1:	792625a1b22deb09fae027ac58444e2c99a90786
SHA256:	068d2e3ff303f0fa74fc2821aa128539d8807605b0642d653692c3ff35d14d79
Tags:	exemalwareThemidatrojanuser-Joker
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NvOxePa.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\NvOxePa.exe" MD5: 8C009FE6CB49E086B63C4B385F5A7AF9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["robinsharez.shop", "handscreamny.shop", "femalsabler.shop", "apporholis.shop", "letterdrive.shop", "chipdonkeruz.shop", "soundtappysk.shop", "crowdwarek.shop", "versersleep.shop"], "Build id": "7tx2jo--915"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:02.624813+0100	2028371	3	Unknown Traffic	192.168.2.7	49699	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.597453+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.7	49176	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.820481+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.7	60579	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.672685+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.7	63042	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.587982+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.7	65467	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.832440+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.7	56406	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.913935+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.7	60977	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.577342+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.7	58870	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:01.689567+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.7	53129	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:38:03.116019+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49699	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NvOxePa.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://femalsabler.shop:443/api	Avira URL Cloud: Label: malware
Source: https://robinsharez.shop:443/api	Avira URL Cloud: Label: malware
Source: https://chipdonkeruz.shop:443/api	Avira URL Cloud: Label: malware
Source: https://soundtappysk.shop:443/api	Avira URL Cloud: Label: malware
Source: https://apporholis.shop:443/api	Avira URL Cloud: Label: malware
Source: https://versersleep.shop:443/apiy	Avira URL Cloud: Label: malware
Source: https://handscreamny.shop:443/api	Avira URL Cloud: Label: malware
Source: letterdrive.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: NvOxePa.exe.7264.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["robinsharez.shop", "handscreamny.shop", "femalsabler.shop", "apporholis.shop", "letterdrive.shop", "chipdonkeruz.shop", "soundtappysk.shop", "crowdwarek.shop", "versersleep.shop"], "Build id": "7tx2jo--915"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NvOxePa.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: robinsharez.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: handscreamny.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: versersleep.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: crowdwarek.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: apporholis.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: femalsabler.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: soundtappysk.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: letterdrive.shop
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 7tx2jo--915

Source: NvOxePa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49699 version: TLS 1.2

Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, edx	0_2_0033B2B0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00357070
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	0_2_0033A05C
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_0036F0E0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0035B170
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0034B173
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0034B184
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00332210
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_0034B243
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0034F2A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, eax	0_2_00358280
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	0_2_0033C334
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00352380
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then jmp ecx	0_2_0033D334
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	0_2_0033C3EC
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	0_2_0037042D
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, eax	0_2_0037042D
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00347405
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	0_2_00347405
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov edx, ecx	0_2_00347405
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov eax, edi	0_2_0034C400
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, eax	0_2_00372470
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00357490
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0034B484
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00368520
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then push edi	0_2_0036C5A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	0_2_0036C5A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00337620
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00337620
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, dword ptr [0037C548h]	0_2_00348672
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0034B667
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_0035B652
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov esi, ecx	0_2_00345720
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, eax	0_2_00345720
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	0_2_003727B0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0035D830
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	0_2_0036B870
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov edx, ecx	0_2_0036B870
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	0_2_00349840
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then jmp eax	0_2_003718A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0034B882
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0034A900
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then test esi, esi	0_2_0036C9A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, eax	0_2_0033AA32
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0035EA62
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ebx, eax	0_2_00335AB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ebp, eax	0_2_00335AB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	0_2_00355AF0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0034BB21
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00371B20
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0034AB2A
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0035BB00
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0035EB5F
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0035EBB3
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00371BB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	0_2_0034BBA0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0035EBA1
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	0_2_0035BBA0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ecx, eax	0_2_00370BAB
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov ebx, edx	0_2_0035DBF0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00344C20
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00356C76
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	0_2_00371C40
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	0_2_00372D20
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_00355D6A
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00339E09
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0034AEFF
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	0_2_0034BEE1
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	0_2_00346ED0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then jmp ecx	0_2_0033CEC7
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	0_2_00338F90
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	0_2_0033DFE2
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0033DFE2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.7:63042 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.7:56406 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.7:60579 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.7:53129 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.7:65467 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.7:60977 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.7:49176 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.7:58870 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49699 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: letterdrive.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: versersleep.shop

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambr equals www.youtube.com (Youtube)
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=aa3a5aca7c87fe4a4d532359; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 09 Jan 2025 12:38:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control> equals www.youtube.com (Youtube)
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambr equals www.youtube.com (Youtube)
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: oadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: oadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=aa3a5aca7c87fe4a4d532359; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 09 Jan 2025 12:38:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: letterdrive.shop
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apporholis.shop:443/api
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chipdonkeruz.shop:443/api
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: NvOxePa.exe, 00000000.00000003.1271233382.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: NvOxePa.exe, 00000000.00000003.1271233382.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: NvOxePa.exe, 00000000.00000003.1271233382.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://femalsabler.shop:443/api
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://handscreamny.shop:443/api
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://robinsharez.shop:443/api
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop:443/api
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/g
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: NvOxePa.exe, 00000000.00000003.1271233382.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://versersleep.shop:443/apiy
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49699 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: NvOxePa.exe	Static PE information: section name:
Source: NvOxePa.exe	Static PE information: section name: .idata
Source: NvOxePa.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0033B2B0	0_2_0033B2B0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00338880	0_2_00338880
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00336000	0_2_00336000
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00357070	0_2_00357070
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037	0_2_004F6037
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098	0_2_004F9098
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034D0C0	0_2_0034D0C0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00357133	0_2_00357133
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0037711E	0_2_0037711E
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00355100	0_2_00355100
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035B170	0_2_0035B170
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036F150	0_2_0036F150
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003421DB	0_2_003421DB
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034825B	0_2_0034825B
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003342B0	0_2_003342B0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003392A0	0_2_003392A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0059A2B1	0_2_0059A2B1
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003D333E	0_2_003D333E
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00338360	0_2_00338360
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F0325	0_2_004F0325
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003793B4	0_2_003793B4
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00352380	0_2_00352380
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003363C0	0_2_003363C0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00358437	0_2_00358437
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036443D	0_2_0036443D
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00362426	0_2_00362426
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00347405	0_2_00347405
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034C400	0_2_0034C400
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034D400	0_2_0034D400
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00372470	0_2_00372470
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003674AB	0_2_003674AB
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036A4EF	0_2_0036A4EF
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003654C4	0_2_003654C4
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0033D545	0_2_0033D545
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036C5A0	0_2_0036C5A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00337620	0_2_00337620
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00375620	0_2_00375620
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00366610	0_2_00366610
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034A690	0_2_0034A690
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003486FC	0_2_003486FC
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004FF692	0_2_004FF692
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034F6D0	0_2_0034F6D0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00345720	0_2_00345720
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F3762	0_2_004F3762
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0050272A	0_2_0050272A
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003727B0	0_2_003727B0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00339790	0_2_00339790
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004FD7EB	0_2_004FD7EB
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003557E0	0_2_003557E0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036F820	0_2_0036F820
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036080E	0_2_0036080E
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036B870	0_2_0036B870
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00357860	0_2_00357860
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00336850	0_2_00336850
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00349840	0_2_00349840
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_003718A0	0_2_003718A0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00363930	0_2_00363930
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00369923	0_2_00369923
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00333900	0_2_00333900
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034194F	0_2_0034194F
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0033E9B0	0_2_0033E9B0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004749FE	0_2_004749FE
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035A9F7	0_2_0035A9F7
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004FCA52	0_2_004FCA52
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0033CA62	0_2_0033CA62
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00372A60	0_2_00372A60
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035EA62	0_2_0035EA62
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004C5A12	0_2_004C5A12
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00335AB0	0_2_00335AB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00355AF0	0_2_00355AF0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034DAD0	0_2_0034DAD0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00359ADE	0_2_00359ADE
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00362B24	0_2_00362B24
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00332B20	0_2_00332B20
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00371B20	0_2_00371B20
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004D4B04	0_2_004D4B04
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00358B67	0_2_00358B67
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00367B69	0_2_00367B69
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035EB5F	0_2_0035EB5F
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036CB40	0_2_0036CB40
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035EBB3	0_2_0035EBB3
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00371BB0	0_2_00371BB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034BBA0	0_2_0034BBA0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035EBA1	0_2_0035EBA1
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035BBA0	0_2_0035BBA0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035DBF0	0_2_0035DBF0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00344C20	0_2_00344C20
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00586C40	0_2_00586C40
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00356C76	0_2_00356C76
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00371C40	0_2_00371C40
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034DCB0	0_2_0034DCB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036ACB0	0_2_0036ACB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0035FCBC	0_2_0035FCBC
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00364CEF	0_2_00364CEF
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6CAD	0_2_004F6CAD
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00500D52	0_2_00500D52
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0036CD27	0_2_0036CD27
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00372D20	0_2_00372D20
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00365D13	0_2_00365D13
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F1D1B	0_2_004F1D1B
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00355D6A	0_2_00355D6A
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00350D90	0_2_00350D90
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00545DA6	0_2_00545DA6
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0033AE30	0_2_0033AE30
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00351E70	0_2_00351E70
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00361E8E	0_2_00361E8E
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00332EF0	0_2_00332EF0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00353EFF	0_2_00353EFF
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034BEE1	0_2_0034BEE1
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00346ED0	0_2_00346ED0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00357F30	0_2_00357F30
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0034AF24	0_2_0034AF24
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00371FB0	0_2_00371FB0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0033DFE2	0_2_0033DFE2
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00359FE4	0_2_00359FE4
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0033CFEC	0_2_0033CFEC

Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: String function: 00338170 appears 45 times
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: String function: 00344C10 appears 116 times

Source: NvOxePa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NvOxePa.exe	Static PE information: Section: ZLIB complexity 0.9977520636792453
Source: NvOxePa.exe	Static PE information: Section: zshtsyot ZLIB complexity 0.9943469533348255

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/1

Source: C:\Users\user\Desktop\NvOxePa.exe

Code function: 0_2_00362426 CoCreateInstance,

0_2_00362426

Source: C:\Users\user\Desktop\NvOxePa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NvOxePa.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\NvOxePa.exe

File read: C:\Users\user\Desktop\NvOxePa.exe

Jump to behavior

Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Section loaded: dpapi.dll	Jump to behavior

Source: NvOxePa.exe

Static file information: File size 1893888 > 1048576

Source: NvOxePa.exe

Static PE information: Raw size of zshtsyot is bigger than: 0x100000 < 0x1a2e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\NvOxePa.exe

Unpacked PE file: 0.2.NvOxePa.exe.330000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zshtsyot:EW;vzwdmjja:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zshtsyot:EW;vzwdmjja:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: NvOxePa.exe

Static PE information: real checksum: 0x1d6802 should be: 0x1dc067

Source: NvOxePa.exe	Static PE information: section name:
Source: NvOxePa.exe	Static PE information: section name: .idata
Source: NvOxePa.exe	Static PE information: section name:
Source: NvOxePa.exe	Static PE information: section name: zshtsyot
Source: NvOxePa.exe	Static PE information: section name: vzwdmjja
Source: NvOxePa.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_00376024 push es; retf	0_2_0037605E
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0039E061 push 3449018Ah; mov dword ptr [esp], edx	0_2_0039E07C
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0039E061 push esi; mov dword ptr [esp], ecx	0_2_0039E094
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_0039E061 push edi; mov dword ptr [esp], ebx	0_2_0039E0CC
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push ecx; mov dword ptr [esp], ebp	0_2_004F604B
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 7BFCD911h; mov dword ptr [esp], ecx	0_2_004F60B0
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 5C57E351h; mov dword ptr [esp], ebx	0_2_004F60F2
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push eax; mov dword ptr [esp], 303EF020h	0_2_004F6137
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 14DB93A9h; mov dword ptr [esp], edx	0_2_004F61A6
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push ebp; mov dword ptr [esp], eax	0_2_004F61AA
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push edi; mov dword ptr [esp], eax	0_2_004F61E1
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 0D2E3839h; mov dword ptr [esp], ecx	0_2_004F6274
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 20867DA3h; mov dword ptr [esp], edi	0_2_004F6334
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push ebp; mov dword ptr [esp], 00000004h	0_2_004F6338
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 716A8EBBh; mov dword ptr [esp], eax	0_2_004F636F
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push edx; mov dword ptr [esp], eax	0_2_004F6387
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push ebx; mov dword ptr [esp], ecx	0_2_004F640D
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 5FDAA309h; mov dword ptr [esp], ebx	0_2_004F6429
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push 13DBE2FDh; mov dword ptr [esp], ecx	0_2_004F646F
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F6037 push ebp; mov dword ptr [esp], edi	0_2_004F651E
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push ecx; mov dword ptr [esp], 777E384Ch	0_2_004F915E
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push eax; mov dword ptr [esp], edx	0_2_004F91ED
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push 3BFEB631h; mov dword ptr [esp], edx	0_2_004F9312
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push ebx; mov dword ptr [esp], ecx	0_2_004F9390
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push 1AF29C13h; mov dword ptr [esp], edi	0_2_004F939D
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push 0A876B63h; mov dword ptr [esp], edx	0_2_004F93C5
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push 54ACC10Bh; mov dword ptr [esp], esi	0_2_004F93E5
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push 5F4F4816h; mov dword ptr [esp], esp	0_2_004F9497
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push edi; mov dword ptr [esp], ecx	0_2_004F94AE
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push esi; mov dword ptr [esp], 000014CCh	0_2_004F94E8
Source: C:\Users\user\Desktop\NvOxePa.exe	Code function: 0_2_004F9098 push 2E7D7AADh; mov dword ptr [esp], esi	0_2_004F956C

Source: NvOxePa.exe	Static PE information: section name: entropy: 7.9755838331463895
Source: NvOxePa.exe	Static PE information: section name: zshtsyot entropy: 7.954406506590485

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\NvOxePa.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\NvOxePa.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 38AA2C second address: 38AA36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCE44DE0F56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5077A5 second address: 5077AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCE44C64126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4F9D46 second address: 4F9D50 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE44DE0F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506716 second address: 50671A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506867 second address: 506873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCE44DE0F62h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506873 second address: 50687D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCE44C64126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50687D second address: 50689C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jl 00007FCE44DE0F5Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jl 00007FCE44DE0F96h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50689C second address: 5068D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FCE44C64130h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007FCE44C64126h 0x00000015 jmp 00007FCE44C64136h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506B77 second address: 506B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506B7D second address: 506B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506B87 second address: 506B98 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCE44DE0F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506B98 second address: 506BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64136h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506BB2 second address: 506BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FCE44DE0F5Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506BC6 second address: 506BD3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCE44C64128h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506E90 second address: 506E98 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506E98 second address: 506ED6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCE44C6413Eh 0x00000008 jmp 00007FCE44C64138h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCE44C64132h 0x00000016 jng 00007FCE44C6412Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 506ED6 second address: 506EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 509EA2 second address: 509EB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C6412Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 509EB4 second address: 509F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 11072D66h 0x00000010 mov edi, 51E17FFBh 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FCE44DE0F58h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov dh, ch 0x00000033 push 00000000h 0x00000035 movzx edi, si 0x00000038 push 00000003h 0x0000003a and edx, 5EEAF076h 0x00000040 push E6DC5EBDh 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 pop ecx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50A0BF second address: 50A0CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE44C6412Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50A0CF second address: 50A0D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50A168 second address: 50A1F0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCE44C64126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FCE44C64128h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FCE44C64128h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e xor edx, 7E636533h 0x00000034 push 00000000h 0x00000036 jmp 00007FCE44C64133h 0x0000003b call 00007FCE44C64129h 0x00000040 pushad 0x00000041 jg 00007FCE44C64128h 0x00000047 jmp 00007FCE44C64137h 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FCE44C6412Dh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50A1F0 second address: 50A20D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop esi 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007FCE44DE0F56h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50A20D second address: 50A221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C6412Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50A304 second address: 50A308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 50A308 second address: 50A30D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 500919 second address: 50092A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007FCE44DE0F56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 528D99 second address: 528DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FCE44C64136h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCE44C6412Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52920C second address: 529217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007FCE44DE0F56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 529781 second address: 529786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 529786 second address: 529798 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCE44DE0F58h 0x00000008 jng 00007FCE44DE0F5Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52990D second address: 529912 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52A43A second address: 52A471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE44DE0F5Dh 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007FCE44DE0F56h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 jl 00007FCE44DE0F56h 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 jp 00007FCE44DE0F5Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52A742 second address: 52A757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE44C64131h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52A9CA second address: 52A9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52A9D5 second address: 52A9DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52F0D4 second address: 52F0EB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCE44DE0F5Ch 0x00000008 pushad 0x00000009 jp 00007FCE44DE0F56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52F0EB second address: 52F0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCE44C64126h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52F0FD second address: 52F101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5317DA second address: 531805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64134h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FCE44C6412Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 531805 second address: 53180C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53180C second address: 53183E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnl 00007FCE44C6413Ch 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 jo 00007FCE44C6412Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 52FF4C second address: 52FF52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5306D4 second address: 5306F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64136h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53192D second address: 531955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FCE44DE0F5Ah 0x0000000d js 00007FCE44DE0F58h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007FCE44DE0F56h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 531955 second address: 531959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 531959 second address: 53198F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCE44DE0F61h 0x0000000c jmp 00007FCE44DE0F5Ch 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FCE44DE0F5Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 532CD5 second address: 532CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCE44C64132h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 532CEB second address: 532CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 532CF2 second address: 532CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 537984 second address: 537995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jne 00007FCE44DE0F6Ah 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 537AE6 second address: 537B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FCE44C64134h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5380F6 second address: 538128 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCE44DE0F5Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FCE44DE0F6Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53AAED second address: 53AB15 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCE44C64126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007FCE44C6412Ch 0x00000012 pop eax 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FCE44C64126h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53AB15 second address: 53AB19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53AB19 second address: 53AB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53AB1F second address: 53AB86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007FCE44DE0F56h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007FCE44DE0F56h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jno 00007FCE44DE0F5Eh 0x00000024 pop eax 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007FCE44DE0F58h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 00000016h 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f mov edi, dword ptr [ebp+122D2B4Ch] 0x00000045 mov esi, ecx 0x00000047 push 51DF1685h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FCE44DE0F5Dh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53AB86 second address: 53AB8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53B035 second address: 53B039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53B039 second address: 53B04E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64131h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53B7B2 second address: 53B7FE instructions: 0x00000000 rdtsc 0x00000002 je 00007FCE44DE0F64h 0x00000008 jmp 00007FCE44DE0F5Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 pop eax 0x00000016 xchg eax, ebx 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FCE44DE0F58h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov dword ptr [ebp+12474C5Dh], esi 0x00000037 nop 0x00000038 pushad 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53B97E second address: 53B988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53BC78 second address: 53BC7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53BD8D second address: 53BDBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007FCE44C6412Eh 0x0000000c nop 0x0000000d pushad 0x0000000e mov ax, si 0x00000011 mov bx, ax 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCE44C6412Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53BDBB second address: 53BDCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE44DE0F5Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53BDCA second address: 53BDCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53C2A7 second address: 53C2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE44DE0F69h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCE44DE0F61h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53E5E8 second address: 53E5F2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCE44C64126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53E5F2 second address: 53E607 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007FCE44DE0F56h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5400F4 second address: 540101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FCE44C64126h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 540101 second address: 540123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FCE44DE0F6Ah 0x00000013 pushad 0x00000014 jp 00007FCE44DE0F56h 0x0000001a jns 00007FCE44DE0F56h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4FEE02 second address: 4FEE19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE44C64131h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4FEE19 second address: 4FEE1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 543D66 second address: 543DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jp 00007FCE44C64135h 0x0000000e jmp 00007FCE44C6412Fh 0x00000013 push 00000000h 0x00000015 adc di, 1C61h 0x0000001a push 00000000h 0x0000001c or esi, dword ptr [ebp+122D29A0h] 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FCE44C64131h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53EF1A second address: 53EF24 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCE44DE0F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5022BF second address: 5022C9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCE44C64126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5424DD second address: 5424E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5022C9 second address: 5022DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007FCE44C64136h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 548115 second address: 548119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 548119 second address: 54811F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54905E second address: 549068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FCE44DE0F56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 547373 second address: 5473F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C6412Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FCE44C64128h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jns 00007FCE44C64128h 0x00000018 push esi 0x00000019 pop esi 0x0000001a pushad 0x0000001b jmp 00007FCE44C64133h 0x00000020 jbe 00007FCE44C64126h 0x00000026 popad 0x00000027 popad 0x00000028 nop 0x00000029 mov bl, DBh 0x0000002b push dword ptr fs:[00000000h] 0x00000032 add ebx, dword ptr [ebp+122D1C7Bh] 0x00000038 jmp 00007FCE44C6412Bh 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov ebx, esi 0x00000046 mov eax, dword ptr [ebp+122D0911h] 0x0000004c mov dword ptr [ebp+122D314Dh], ecx 0x00000052 push FFFFFFFFh 0x00000054 and bx, A65Ch 0x00000059 push eax 0x0000005a push edi 0x0000005b pushad 0x0000005c jns 00007FCE44C64126h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54A12F second address: 54A198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FCE44DE0F58h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edi, esi 0x00000024 push 00000000h 0x00000026 mov bx, si 0x00000029 pushad 0x0000002a mov ebx, dword ptr [ebp+12463902h] 0x00000030 mov eax, dword ptr [ebp+122D3581h] 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007FCE44DE0F58h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 push ecx 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 pop ecx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54A198 second address: 54A19C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54B1BA second address: 54B244 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCE44DE0F67h 0x00000008 jmp 00007FCE44DE0F61h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FCE44DE0F58h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jmp 00007FCE44DE0F66h 0x00000031 push 00000000h 0x00000033 jmp 00007FCE44DE0F69h 0x00000038 push 00000000h 0x0000003a xchg eax, esi 0x0000003b jno 00007FCE44DE0F5Eh 0x00000041 push eax 0x00000042 push esi 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54C0DD second address: 54C0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCE44C6412Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54C0F0 second address: 54C11F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCE44DE0F58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FCE44DE0F5Bh 0x00000012 push 00000000h 0x00000014 mov bl, 21h 0x00000016 push 00000000h 0x00000018 jbe 00007FCE44DE0F5Ah 0x0000001e mov bx, AC51h 0x00000022 xchg eax, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 push edi 0x00000027 pop edi 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54C11F second address: 54C135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE44C64132h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54D260 second address: 54D2F2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE44DE0F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FCE44DE0F64h 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D2FF0h], ecx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FCE44DE0F58h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov ebx, 2637F954h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007FCE44DE0F58h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 0000001Bh 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 push edx 0x00000055 push eax 0x00000056 call 00007FCE44DE0F63h 0x0000005b pop ebx 0x0000005c pop edi 0x0000005d pop ebx 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54D2F2 second address: 54D2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54D2F6 second address: 54D30C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5492AD second address: 5492B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54D30C second address: 54D310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5492B1 second address: 549350 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCE44C64126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCE44C6412Fh 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007FCE44C64139h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c popad 0x0000001d popad 0x0000001e nop 0x0000001f jnc 00007FCE44C64129h 0x00000025 movsx ebx, bx 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov eax, dword ptr [ebp+122D1535h] 0x0000003c mov dword ptr [ebp+122D2695h], edx 0x00000042 push FFFFFFFFh 0x00000044 push 00000000h 0x00000046 push edx 0x00000047 call 00007FCE44C64128h 0x0000004c pop edx 0x0000004d mov dword ptr [esp+04h], edx 0x00000051 add dword ptr [esp+04h], 00000015h 0x00000059 inc edx 0x0000005a push edx 0x0000005b ret 0x0000005c pop edx 0x0000005d ret 0x0000005e nop 0x0000005f push edx 0x00000060 push edx 0x00000061 jmp 00007FCE44C6412Ch 0x00000066 pop edx 0x00000067 pop edx 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jp 00007FCE44C6412Ch 0x00000071 jg 00007FCE44C64126h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54B332 second address: 54B337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54C3BB second address: 54C3C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 549350 second address: 549356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4EFDFC second address: 4EFE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4EFE02 second address: 4EFE06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4EFE06 second address: 4EFE24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCE44C64136h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4EFE24 second address: 4EFE37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 550A6E second address: 550A80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C6412Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 551A0A second address: 551A1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 551A1A second address: 551A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FCE44C64126h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54FAE9 second address: 54FBB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FCE44DE0F68h 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jbe 00007FCE44DE0F58h 0x00000019 push edx 0x0000001a pop edx 0x0000001b jmp 00007FCE44DE0F68h 0x00000020 popad 0x00000021 nop 0x00000022 je 00007FCE44DE0F56h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f add dword ptr [ebp+12451587h], ebx 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c and ebx, 29094B70h 0x00000042 mov eax, dword ptr [ebp+122D0909h] 0x00000048 push 00000000h 0x0000004a push ebp 0x0000004b call 00007FCE44DE0F58h 0x00000050 pop ebp 0x00000051 mov dword ptr [esp+04h], ebp 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc ebp 0x0000005e push ebp 0x0000005f ret 0x00000060 pop ebp 0x00000061 ret 0x00000062 jmp 00007FCE44DE0F65h 0x00000067 push FFFFFFFFh 0x00000069 adc bx, 173Ch 0x0000006e jg 00007FCE44DE0F62h 0x00000074 nop 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54FBB3 second address: 54FBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54FBB7 second address: 54FBBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54FBBB second address: 54FBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 54FBC1 second address: 54FBE0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCE44DE0F5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCE44DE0F5Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 555F48 second address: 555F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 555F4C second address: 555FC2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FCE44DE0F64h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FCE44DE0F58h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov bx, 99F6h 0x0000002c push 00000000h 0x0000002e mov edi, 4C4E8334h 0x00000033 sub edi, dword ptr [ebp+122D34A2h] 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007FCE44DE0F58h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 0000001Bh 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 push ebx 0x0000005a pop ebx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 556F59 second address: 556F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 55612B second address: 556148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FCE44DE0F5Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 556148 second address: 55614C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 55614C second address: 556152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 556152 second address: 5561ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE44C64128h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D358Ch], edx 0x00000013 add edi, dword ptr [ebp+122D2B74h] 0x00000019 push dword ptr fs:[00000000h] 0x00000020 jmp 00007FCE44C64136h 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c mov edi, 4BD8CB40h 0x00000031 mov ebx, dword ptr [ebp+122D2994h] 0x00000037 mov eax, dword ptr [ebp+122D0E49h] 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007FCE44C64128h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 jp 00007FCE44C6412Ah 0x0000005d sub ebx, 2ECF77F6h 0x00000063 push FFFFFFFFh 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 js 00007FCE44C64139h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 561D6E second address: 561D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 561D72 second address: 561D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 561D76 second address: 561D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 561D7F second address: 561DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCE44C64134h 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 jc 00007FCE44C64126h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 561EDE second address: 561F13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCE44DE0F67h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 561F13 second address: 561F27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C6412Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5621DC second address: 5621E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5621E3 second address: 5621ED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5621ED second address: 5621F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 566A7C second address: 566A87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCE44C64126h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56D6DB second address: 56D71E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE44DE0F67h 0x00000008 jmp 00007FCE44DE0F5Bh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FCE44DE0F61h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007FCE44DE0F56h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56DE49 second address: 56DE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E0CC second address: 56E0D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E0D2 second address: 56E0E5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE44C64126h 0x00000008 jo 00007FCE44C64126h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E234 second address: 56E24C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCE44DE0F62h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E24C second address: 56E256 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCE44C6412Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E802 second address: 56E808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E808 second address: 56E80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E80C second address: 56E81E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F5Dh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 56E81E second address: 56E824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 571B24 second address: 571B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579F8E second address: 579F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579F92 second address: 579F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 578DA4 second address: 578DAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 57907F second address: 579084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579084 second address: 57908A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 57908A second address: 57908E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579380 second address: 579384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579384 second address: 579388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579388 second address: 5793BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jmp 00007FCE44C64134h 0x00000011 jg 00007FCE44C64128h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b jg 00007FCE44C64126h 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5225D4 second address: 5225D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5225D8 second address: 5225E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5225E2 second address: 5225E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579E48 second address: 579E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 579E50 second address: 579E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE44DE0F5Ch 0x00000009 jmp 00007FCE44DE0F67h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 57888C second address: 578890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 581DA4 second address: 581DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 580EBC second address: 580ECB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jc 00007FCE44C64126h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 580954 second address: 58095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 557105 second address: 55711C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64133h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 55820A second address: 55820E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 55820E second address: 558218 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 559139 second address: 5591AA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCE44DE0F58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FCE44DE0F58h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov bx, ax 0x00000028 mov ebx, 33BA1621h 0x0000002d push dword ptr fs:[00000000h] 0x00000034 sub ebx, dword ptr [ebp+122D38BFh] 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov bx, ax 0x00000044 mov eax, dword ptr [ebp+122D08E5h] 0x0000004a mov bl, 67h 0x0000004c push FFFFFFFFh 0x0000004e mov bl, ch 0x00000050 nop 0x00000051 push eax 0x00000052 jne 00007FCE44DE0F58h 0x00000058 pop eax 0x00000059 push eax 0x0000005a pushad 0x0000005b push esi 0x0000005c push ecx 0x0000005d pop ecx 0x0000005e pop esi 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58158A second address: 58158E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58158E second address: 581596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 581596 second address: 5815AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64133h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 539862 second address: 539866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 539866 second address: 53986C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53986C second address: 539887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FCE44DE0F58h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 539887 second address: 38AA2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C6412Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov cx, 9F6Ah 0x0000000e push dword ptr [ebp+122D1339h] 0x00000014 add di, 2444h 0x00000019 call dword ptr [ebp+122D3474h] 0x0000001f pushad 0x00000020 mov dword ptr [ebp+122D3461h], ebx 0x00000026 jne 00007FCE44C64132h 0x0000002c xor eax, eax 0x0000002e mov dword ptr [ebp+122D3461h], ebx 0x00000034 jmp 00007FCE44C6412Bh 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d pushad 0x0000003e mov cl, 6Dh 0x00000040 mov ebx, dword ptr [ebp+122D2A60h] 0x00000046 popad 0x00000047 mov dword ptr [ebp+122D2944h], eax 0x0000004d mov dword ptr [ebp+122D3461h], edi 0x00000053 jmp 00007FCE44C64135h 0x00000058 mov esi, 0000003Ch 0x0000005d jbe 00007FCE44C64127h 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 mov dword ptr [ebp+122D3461h], ecx 0x0000006d lodsw 0x0000006f or dword ptr [ebp+122D3461h], edx 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 mov dword ptr [ebp+122D3461h], esi 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 pushad 0x00000084 add si, 32B2h 0x00000089 call 00007FCE44C64131h 0x0000008e mov dword ptr [ebp+122D3461h], eax 0x00000094 pop edx 0x00000095 popad 0x00000096 pushad 0x00000097 sub ah, 00000034h 0x0000009a popad 0x0000009b push eax 0x0000009c push eax 0x0000009d push edx 0x0000009e jp 00007FCE44C64137h 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 539915 second address: 53993F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jnp 00007FCE44DE0F56h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCE44DE0F69h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5399B5 second address: 5399B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5399B9 second address: 5399BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5399BF second address: 5399ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64132h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FCE44C6412Ch 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5399ED second address: 5399F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5399F2 second address: 5399F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5399F7 second address: 5399FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5399FD second address: 539A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edi 0x0000000a pushad 0x0000000b jmp 00007FCE44C6412Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 539A15 second address: 539A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCE44DE0F64h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 539A35 second address: 539A3F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE44C6412Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53A31E second address: 53A32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53A6DC second address: 53A703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FCE44C6413Eh 0x0000000f jmp 00007FCE44C64138h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 585683 second address: 585689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 585689 second address: 585693 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 585816 second address: 58581C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 585AAF second address: 585AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 585EFC second address: 585F02 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 586077 second address: 58609C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCE44C64132h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jbe 00007FCE44C64126h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58609C second address: 5860A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5860A5 second address: 5860AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5860AB second address: 5860AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58C5FB second address: 58C5FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58BFC6 second address: 58BFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58BFCC second address: 58BFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58C163 second address: 58C168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58C31A second address: 58C320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5900E2 second address: 5900FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 js 00007FCE44DE0F56h 0x0000000c jo 00007FCE44DE0F56h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5900FB second address: 5900FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5900FF second address: 590103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58F812 second address: 58F818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58F818 second address: 58F82F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FCE44DE0F56h 0x0000000a jmp 00007FCE44DE0F5Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58F82F second address: 58F859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C6412Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCE44C64133h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58F859 second address: 58F85D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58F85D second address: 58F86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FCE44C64126h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58F86C second address: 58F872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58FB02 second address: 58FB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58FB06 second address: 58FB2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FCE44DE0F61h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58FB2E second address: 58FB46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64132h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58FB46 second address: 58FB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCE44DE0F56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 58FB50 second address: 58FB54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59451C second address: 594520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5947AF second address: 5947C3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCE44C64128h 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FCE44C64126h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5947C3 second address: 5947CD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCE44DE0F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5947CD second address: 5947F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCE44C64150h 0x0000000e jmp 00007FCE44C64138h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5947F9 second address: 5947FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 594937 second address: 59493B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59493B second address: 59493F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 594AB4 second address: 594ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 594BFA second address: 594BFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53A152 second address: 53A158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53A158 second address: 53A1EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c cmc 0x0000000d mov ebx, dword ptr [ebp+12482117h] 0x00000013 jmp 00007FCE44DE0F65h 0x00000018 add eax, ebx 0x0000001a pushad 0x0000001b mov dword ptr [ebp+122D1916h], eax 0x00000021 add dword ptr [ebp+122D34DCh], edi 0x00000027 popad 0x00000028 push eax 0x00000029 jnl 00007FCE44DE0F72h 0x0000002f mov dword ptr [esp], eax 0x00000032 push 00000004h 0x00000034 mov dx, C300h 0x00000038 nop 0x00000039 ja 00007FCE44DE0F64h 0x0000003f push eax 0x00000040 pushad 0x00000041 jnl 00007FCE44DE0F58h 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 594E68 second address: 594E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE44C64138h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A929 second address: 59A93A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE44DE0F5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 599D86 second address: 599D8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 599D8D second address: 599D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 599D9C second address: 599DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FCE44C6413Dh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A071 second address: 59A081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE44DE0F5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A081 second address: 59A08E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A1DC second address: 59A1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A1E6 second address: 59A1EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A1EA second address: 59A1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A362 second address: 59A366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A366 second address: 59A36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A36C second address: 59A372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 59A372 second address: 59A382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FCE44DE0F56h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5A4211 second address: 5A4215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5A4215 second address: 5A423F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCE44DE0F5Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCE44DE0F65h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5A423F second address: 5A4243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5A33C0 second address: 5A33DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCE44DE0F5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5A33DB second address: 5A33DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5A33DF second address: 5A33E7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5A33E7 second address: 5A33FF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE44C64132h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5ABBA1 second address: 5ABBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5ABBAA second address: 5ABBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5ABE8C second address: 5ABEA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FCE44DE0F5Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5ABFED second address: 5ABFF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5ABFF1 second address: 5AC00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE44DE0F65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC284 second address: 5AC291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007FCE44C64128h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC291 second address: 5AC2AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FCE44DE0F64h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC2AC second address: 5AC2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCE44C64139h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC2D1 second address: 5AC2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC2D7 second address: 5AC2DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC2DB second address: 5AC2E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC2E5 second address: 5AC2E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC2E9 second address: 5AC2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AC2EF second address: 5AC2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FCE44C6412Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5AEA25 second address: 5AEA39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCE44DE0F5Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B7403 second address: 5B740A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B740A second address: 5B7410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B7410 second address: 5B7414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B7414 second address: 5B7418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 4F32A4 second address: 4F32AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5A76 second address: 5B5A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FCE44DE0F69h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5A95 second address: 5B5A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5BD6 second address: 5B5BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5BDD second address: 5B5BF3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCE44C64138h 0x00000008 jmp 00007FCE44C6412Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5BF3 second address: 5B5BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5BFB second address: 5B5C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5C01 second address: 5B5C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B5EB1 second address: 5B5EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B62E6 second address: 5B62EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B62EA second address: 5B62F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B62F0 second address: 5B62FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B62FB second address: 5B6318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCE44C64133h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B6AC8 second address: 5B6ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B6ACE second address: 5B6AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B6AD6 second address: 5B6ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B6ADA second address: 5B6B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64137h 0x00000007 jmp 00007FCE44C64138h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 je 00007FCE44C64126h 0x00000017 jmp 00007FCE44C64131h 0x0000001c js 00007FCE44C64126h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5B6B2E second address: 5B6B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5C9F15 second address: 5C9F27 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCE44C64126h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5C9F27 second address: 5C9F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5C9F2D second address: 5C9F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CBCB5 second address: 5CBCC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCE44DE0F56h 0x0000000a pop esi 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CBCC5 second address: 5CBCCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CBCCA second address: 5CBCD4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCE44DE0F5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CFCDB second address: 5CFCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CFCE1 second address: 5CFCE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CFE50 second address: 5CFE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CFE56 second address: 5CFE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FCE44DE0F56h 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push esi 0x00000013 jmp 00007FCE44DE0F5Ch 0x00000018 pop esi 0x00000019 popad 0x0000001a jc 00007FCE44DE0F6Ah 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5CFE83 second address: 5CFE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5D4A7E second address: 5D4A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5D4A82 second address: 5D4A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E14D2 second address: 5E1503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCE44DE0F56h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FCE44DE0F68h 0x00000013 js 00007FCE44DE0F56h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E1503 second address: 5E1509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E1509 second address: 5E1513 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCE44DE0F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E1513 second address: 5E151C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E970B second address: 5E9712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E9712 second address: 5E9718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E9718 second address: 5E976C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FCE44DE0F5Ah 0x0000000b popad 0x0000000c jmp 00007FCE44DE0F60h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 jno 00007FCE44DE0F56h 0x0000001b jmp 00007FCE44DE0F64h 0x00000020 pop ebx 0x00000021 jmp 00007FCE44DE0F64h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E976C second address: 5E977E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jnc 00007FCE44C64126h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E977E second address: 5E9782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E81C1 second address: 5E81E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCE44C64126h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCE44C64135h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E81E5 second address: 5E821F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44DE0F69h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c ja 00007FCE44DE0F93h 0x00000012 jl 00007FCE44DE0F68h 0x00000018 jmp 00007FCE44DE0F5Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E821F second address: 5E8243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FCE44C64137h 0x0000000a jnp 00007FCE44C64126h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E877F second address: 5E87CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCE44DE0F56h 0x0000000a pop ebx 0x0000000b jmp 00007FCE44DE0F5Dh 0x00000010 push edx 0x00000011 je 00007FCE44DE0F56h 0x00000017 jmp 00007FCE44DE0F69h 0x0000001c pop edx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FCE44DE0F62h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5E87CF second address: 5E87EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64137h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5FDC2D second address: 5FDC37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCE44DE0F56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 5F81C6 second address: 5F81CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 60B128 second address: 60B12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 60B12C second address: 60B144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64132h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 61FCE7 second address: 61FCEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 61FCEB second address: 61FCEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 61FE65 second address: 61FE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 62070E second address: 620718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 620718 second address: 62071E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 6221A1 second address: 6221A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 6296AF second address: 6296B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 6296B5 second address: 6296BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 62B216 second address: 62B21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 62B21A second address: 62B21E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 62B21E second address: 62B224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53D612 second address: 53D62D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE44C64130h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53D62D second address: 53D631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\NvOxePa.exe	RDTSC instruction interceptor: First address: 53D9FE second address: 53DA02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\NvOxePa.exe	Special instruction interceptor: First address: 38AA5D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NvOxePa.exe	Special instruction interceptor: First address: 38A96E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\NvOxePa.exe	Special instruction interceptor: First address: 5C2C04 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\NvOxePa.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\NvOxePa.exe TID: 7432	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe TID: 7444	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: NvOxePa.exe, NvOxePa.exe, 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWVh
Source: NvOxePa.exe, 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\NvOxePa.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\NvOxePa.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\NvOxePa.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\NvOxePa.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\NvOxePa.exe	File opened: NTICE
Source: C:\Users\user\Desktop\NvOxePa.exe	File opened: SICE
Source: C:\Users\user\Desktop\NvOxePa.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\NvOxePa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\NvOxePa.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\NvOxePa.exe

Code function: 0_2_003702C0 LdrInitializeThunk,

0_2_003702C0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: NvOxePa.exe	String found in binary or memory: robinsharez.shop
Source: NvOxePa.exe	String found in binary or memory: handscreamny.shop
Source: NvOxePa.exe	String found in binary or memory: chipdonkeruz.shop
Source: NvOxePa.exe	String found in binary or memory: versersleep.shop
Source: NvOxePa.exe	String found in binary or memory: crowdwarek.shop
Source: NvOxePa.exe	String found in binary or memory: apporholis.shop
Source: NvOxePa.exe	String found in binary or memory: femalsabler.shop
Source: NvOxePa.exe	String found in binary or memory: soundtappysk.shop
Source: NvOxePa.exe	String found in binary or memory: letterdrive.shop

Source: NvOxePa.exe, NvOxePa.exe, 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: gProgram Manager

Source: C:\Users\user\Desktop\NvOxePa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NvOxePa.exe	100%	Avira	TR/Crypt.XPACK.Gen
NvOxePa.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://femalsabler.shop:443/api	100%	Avira URL Cloud	malware
https://robinsharez.shop:443/api	100%	Avira URL Cloud	malware
https://chipdonkeruz.shop:443/api	100%	Avira URL Cloud	malware
https://soundtappysk.shop:443/api	100%	Avira URL Cloud	malware
https://apporholis.shop:443/api	100%	Avira URL Cloud	malware
https://versersleep.shop:443/apiy	100%	Avira URL Cloud	malware
https://handscreamny.shop:443/api	100%	Avira URL Cloud	malware
letterdrive.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
letterdrive.shop	unknown	unknown	true	unknown
femalsabler.shop	unknown	unknown	true	unknown
robinsharez.shop	unknown	unknown	true	unknown
soundtappysk.shop	unknown	unknown	true	unknown
crowdwarek.shop	unknown	unknown	true	unknown
versersleep.shop	unknown	unknown	true	unknown
chipdonkeruz.shop	unknown	unknown	true	unknown
apporholis.shop	unknown	unknown	true	unknown
handscreamny.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
robinsharez.shop	false		high
versersleep.shop	false		high
crowdwarek.shop	false		high
letterdrive.shop	true	Avira URL Cloud: malware	unknown
femalsabler.shop	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
soundtappysk.shop	false		high
handscreamny.shop	false		high
apporholis.shop	false		high
chipdonkeruz.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	NvOxePa.exe, 00000000.00000003.1271233382.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://versersleep.shop:443/apiy	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://handscreamny.shop:443/api	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	NvOxePa.exe, 00000000.00000003.1271233382.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1272320460.0000000000E3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apporholis.shop:443/api	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://soundtappysk.shop:443/api	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/g	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://robinsharez.shop:443/api	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://chipdonkeruz.shop:443/api	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://femalsabler.shop:443/api	NvOxePa.exe, 00000000.00000002.1272320460.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271233382.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/recaptcha/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	NvOxePa.exe, 00000000.00000002.1273148531.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	NvOxePa.exe, 00000000.00000003.1271355709.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271146332.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271355709.0000000000E59000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000002.1273169238.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	NvOxePa.exe, 00000000.00000003.1271092769.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, NvOxePa.exe, 00000000.00000003.1271092769.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586672
Start date and time:	2025-01-09 13:37:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NvOxePa.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: NvOxePa.exe

Simulations

Behavior and APIs

Time	Type	Description
07:38:00	API Interceptor	5x Sleep call for process: NvOxePa.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	mpsl.elf	Get hash	malicious	Mirai	Browse	23.63.155.206
	m68k.elf	Get hash	malicious	Mirai	Browse	23.40.78.0
	arm.elf	Get hash	malicious	Mirai	Browse	23.218.112.97
	arm7.elf	Get hash	malicious	Mirai	Browse	23.204.246.84
	ppc.elf	Get hash	malicious	Mirai	Browse	23.13.196.167
	sh4.elf	Get hash	malicious	Mirai	Browse	23.37.180.19
	https://booking.pathqerunknowns.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.102.43.106
	message__51fa7b20_1571_b6cf_e82f_a6f0e2bfa4a2_jamestraversgarage_ie_.eml	Get hash	malicious	Unknown	Browse	2.19.126.151
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	104.102.49.254
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	s7.mp4.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	uU6IvUPN39.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949199193704866
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NvOxePa.exe
File size:	1'893'888 bytes
MD5:	8c009fe6cb49e086b63c4b385f5a7af9
SHA1:	792625a1b22deb09fae027ac58444e2c99a90786
SHA256:	068d2e3ff303f0fa74fc2821aa128539d8807605b0642d653692c3ff35d14d79
SHA512:	fd3b8b18f6fe0417044c725d6cee38477cf0cf92a299525de2010f9606bd9ba9e5ee80ab81d8ce489315c6ea92f9adf8e7110d466651cd14ceaebcaa750fbb0e
SSDEEP:	49152:0QqyVDGlUzzSfyOFUsDHTa81Qop2psfeJU571e:0Q3alUzzEyQbD281QoUpsre
TLSH:	F99533625EC3C516F32DC7B34460B30A75B69B81CE1BBC20AB15F638E17D995EB62843
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...TQ}g.................(............J...........@...........................J......h....@.................................Y`..m..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a9000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677D5154 [Tue Jan 7 16:07:48 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FCE44BD335Ah
pinsrw mm3, word ptr [eax+eax], 00h
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x56059	0x6d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x561f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x54000	0x27c00	0da7c3f66529b5a7029cb1d99fb2131e	False	0.9977520636792453	data	7.9755838331463895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x55000	0x1ac	0x200	4d6954186cc1f3565efd9d3ab27fe8bf	False	0.58203125	data	4.586927579285357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x56000	0x1000	0x200	20eae372ffdb39486b5a3eec1e928253	False	0.154296875	data	1.0789976601211375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x57000	0x2ae000	0x200	b12a079f5f2e69b8fe4098a7b424949b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zshtsyot	0x305000	0x1a3000	0x1a2e00	e7b913845cc322abfb4a4227ef212f11	False	0.9943469533348255	COM executable for DOS	7.954406506590485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vzwdmjja	0x4a8000	0x1000	0x400	2d68cf88220ce824e13456d1d60b143d	False	0.806640625	data	6.251618034449836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a9000	0x3000	0x2200	056bcde5440f2f8057413348445c425e	False	0.06261488970588236	DOS executable (COM)	0.7478920831830371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a7c88	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T13:38:01.577342+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.7	58870	1.1.1.1	53	UDP
2025-01-09T13:38:01.587982+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.7	65467	1.1.1.1	53	UDP
2025-01-09T13:38:01.597453+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.7	49176	1.1.1.1	53	UDP
2025-01-09T13:38:01.672685+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.7	63042	1.1.1.1	53	UDP
2025-01-09T13:38:01.689567+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.7	53129	1.1.1.1	53	UDP
2025-01-09T13:38:01.820481+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.7	60579	1.1.1.1	53	UDP
2025-01-09T13:38:01.832440+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.7	56406	1.1.1.1	53	UDP
2025-01-09T13:38:01.913935+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.7	60977	1.1.1.1	53	UDP
2025-01-09T13:38:02.624813+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49699	104.102.49.254	443	TCP
2025-01-09T13:38:03.116019+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49699	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:38:01.982523918 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:01.982585907 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:01.982691050 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:01.992259026 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:01.992296934 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:02.624737978 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:02.624813080 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:02.629635096 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:02.629657984 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:02.630069971 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:02.671979904 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:02.687028885 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:02.731332064 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.116030931 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.116059065 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.116086006 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.116097927 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.116126060 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.116162062 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:03.116199017 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.116226912 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:03.116249084 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:03.198698044 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.198735952 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.198784113 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.198810101 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:03.198869944 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:03.201109886 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:03.201131105 CET	443	49699	104.102.49.254	192.168.2.7
Jan 9, 2025 13:38:03.201144934 CET	49699	443	192.168.2.7	104.102.49.254
Jan 9, 2025 13:38:03.201149940 CET	443	49699	104.102.49.254	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:38:01.557724953 CET	54802	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.566154003 CET	53	54802	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.577342033 CET	58870	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.586441040 CET	53	58870	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.587981939 CET	65467	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.596473932 CET	53	65467	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.597453117 CET	49176	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.663749933 CET	53	49176	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.672684908 CET	63042	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.686444044 CET	53	63042	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.689567089 CET	53129	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.699388981 CET	53	53129	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.820481062 CET	60579	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.831068039 CET	53	60579	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.832439899 CET	56406	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.899342060 CET	53	56406	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.913934946 CET	60977	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.922148943 CET	53	60977	1.1.1.1	192.168.2.7
Jan 9, 2025 13:38:01.936602116 CET	59776	53	192.168.2.7	1.1.1.1
Jan 9, 2025 13:38:01.944706917 CET	53	59776	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 13:38:01.557724953 CET	192.168.2.7	1.1.1.1	0xe5af	Standard query (0)	letterdrive.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.577342033 CET	192.168.2.7	1.1.1.1	0xf597	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.587981939 CET	192.168.2.7	1.1.1.1	0x33d4	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.597453117 CET	192.168.2.7	1.1.1.1	0xabd7	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.672684908 CET	192.168.2.7	1.1.1.1	0xe66a	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.689567089 CET	192.168.2.7	1.1.1.1	0x82e3	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.820481062 CET	192.168.2.7	1.1.1.1	0x9e16	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.832439899 CET	192.168.2.7	1.1.1.1	0xbc40	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.913934946 CET	192.168.2.7	1.1.1.1	0xa646	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.936602116 CET	192.168.2.7	1.1.1.1	0xb71e	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 13:38:01.566154003 CET	1.1.1.1	192.168.2.7	0xe5af	Name error (3)	letterdrive.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.586441040 CET	1.1.1.1	192.168.2.7	0xf597	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.596473932 CET	1.1.1.1	192.168.2.7	0x33d4	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.663749933 CET	1.1.1.1	192.168.2.7	0xabd7	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.686444044 CET	1.1.1.1	192.168.2.7	0xe66a	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.699388981 CET	1.1.1.1	192.168.2.7	0x82e3	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.831068039 CET	1.1.1.1	192.168.2.7	0x9e16	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.899342060 CET	1.1.1.1	192.168.2.7	0xbc40	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.922148943 CET	1.1.1.1	192.168.2.7	0xa646	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:38:01.944706917 CET	1.1.1.1	192.168.2.7	0xb71e	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.102.49.254	443	7264	C:\Users\user\Desktop\NvOxePa.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 12:38:02 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-09 12:38:03 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 09 Jan 2025 12:38:03 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=aa3a5aca7c87fe4a4d532359; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-09 12:38:03 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-09 12:38:03 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	07:37:59
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\NvOxePa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NvOxePa.exe"
Imagebase:	0x330000
File size:	1'893'888 bytes
MD5 hash:	8C009FE6CB49E086B63C4B385F5A7AF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.5%
Total number of Nodes:	68
Total number of Limit Nodes:	5

Executed Functions

Function 0033B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Bc*}, xrefs: 0033B3C6
6C(], xrefs: 0033B382
@w@q, xrefs: 0033B3E4
`/(), xrefs: 0033B588
K{Du, xrefs: 0033B3DA
?_oY, xrefs: 0033B389
fWpQ, xrefs: 0033B397

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 33fdae005aac7051e437b1471e3cb41b1d21b16b2eeb7dd1253da803d7ebd727
Instruction ID: 7fb3e8d1b813f31a5b025c1b29647dbc9bea06df3c683f4f9631995c967f35fc
Opcode Fuzzy Hash: 33fdae005aac7051e437b1471e3cb41b1d21b16b2eeb7dd1253da803d7ebd727
Instruction Fuzzy Hash: F21268B5104B01CFD335CF25D891BA7BBFAFB45314F108A2CD5AA8BAA4DB74A445CB50

Function 00338880 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00338AB7

Strings

6W01, xrefs: 003389B5

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: ExitProcess
String ID: 6W01
API String ID: 621844428-326071965
Opcode ID: abbb2d28b654bf7592ccd200dc6b2670cccdf16646dc9859ff8a83d0bfa9cbdc
Instruction ID: 43a916a75cc953eab4fee8738e1a715bd11c1d2a709a36c1b970253caf2d58ef
Opcode Fuzzy Hash: abbb2d28b654bf7592ccd200dc6b2670cccdf16646dc9859ff8a83d0bfa9cbdc
Instruction Fuzzy Hash: 9751AF73A443040BD729AB799C86356BAC78BC1310F1BD53DA945AF3D6ED789C0643C2

Function 0033AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0033AA37
MO, xrefs: 0033A9CF

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: c479f29ca482e3b5a8960c16ff820cea11c6551929eb3b2a4630b4447ec37321
Instruction ID: 091277e111a8c93cf6024616feb9b2e5811218783444409dd99d731b2e0195f4
Opcode Fuzzy Hash: c479f29ca482e3b5a8960c16ff820cea11c6551929eb3b2a4630b4447ec37321
Instruction Fuzzy Hash: EA119A741446818BEF268F68DED16677FA4EF42320F2499D898865F38BC638C501CF65

Function 003702C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0037316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 003702EE

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00370260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0033B9C7,00000000,00000001), ref: 00370292

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2fa03ce71b6ddcbf38187f722c8263aeffd69635b04c501c53fb197b52719c96
Instruction ID: 8e5fdf9bb80ad40bc4a91025ed33c41b94b559216b12889407c09917d205b5b0
Opcode Fuzzy Hash: 2fa03ce71b6ddcbf38187f722c8263aeffd69635b04c501c53fb197b52719c96
Instruction Fuzzy Hash: 52E06537518251EBC2272B287C16F1B766C9FC6711F058874F40997515EB35E8018AA6

Function 0033AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0033AB46

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 61f00876058042a99ff5feb9bf30469c4094043b20c92dc34802a0dd937fae44
Instruction ID: ea94532cd654a675d2b8811faf2c97f20a329d8fa2355e1b6678b0ed495fb93d
Opcode Fuzzy Hash: 61f00876058042a99ff5feb9bf30469c4094043b20c92dc34802a0dd937fae44
Instruction Fuzzy Hash: 1BE02B371E4208BBF62B6390FD0FC563A1EBB4230AF04811CFC1D50177D5111425DAA2

Function 0036EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,003702AB,?,0033B9C7,00000000,00000001), ref: 0036EB60

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 013adbb70e4d3d217314a4fa03ce7de7c816a9bda109f93b5453ff1f0341dff3
Instruction ID: 37739819ab72892fd5a0942b5553164438e7458674ec1983c021040950045015
Opcode Fuzzy Hash: 013adbb70e4d3d217314a4fa03ce7de7c816a9bda109f93b5453ff1f0341dff3
Instruction Fuzzy Hash: C3D0C932445522EBC6222B28BC05BCB3BA8EF4A760F0748A1F544AA464E7259C91CAD0

Function 0036EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,003702A0), ref: 0036EB30

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4610da174437f98038d3ceaedd45f1d1953f2265418192eb3eb622ba08ceb77b
Instruction ID: 5aa014a4c8f91fb8491cb8c5843da8241c04cdcf2ae9516f006c6f46cdfb2d9a
Opcode Fuzzy Hash: 4610da174437f98038d3ceaedd45f1d1953f2265418192eb3eb622ba08ceb77b
Instruction Fuzzy Hash: 13C09B31045121BBC6116B14FC05FCA3F58DF45361F024095F10477475D7606C82C7D5

Non-executed Functions

Function 00353EFF Relevance: 70.4, Strings: 56, Instructions: 350COMMON

Download Yara Rule

Strings

@, xrefs: 00354152
&, xrefs: 0035414B
(, xrefs: 003541AD
>, xrefs: 00353FEA
1, xrefs: 00353FC2
h, xrefs: 0035424F
f, xrefs: 00353FEE
q, xrefs: 00353FDE
Q, xrefs: 003541C9
?, xrefs: 00353F42
&, xrefs: 00353FCA
n, xrefs: 00354257
N, xrefs: 0035439E
t, xrefs: 003541DE
0, xrefs: 00353FE6
D, xrefs: 0035416E
J, xrefs: 0035417C
A, xrefs: 003543AC
f, xrefs: 00354237
v, xrefs: 003541D0
2, xrefs: 00353FC6
@, xrefs: 00354263
h, xrefs: 00354175
^, xrefs: 00354128
N, xrefs: 00354198
n, xrefs: 00353FCE
F, xrefs: 00354160
p, xrefs: 003541C2
x, xrefs: 00353F3E
L, xrefs: 003541A6
b, xrefs: 00354224
H, xrefs: 0035418A
`, xrefs: 0035422F
V, xrefs: 00353F52
1, xrefs: 00353FDA
?, xrefs: 00354183
l, xrefs: 0035425F
X, xrefs: 0035411A
x, xrefs: 003541FA
/, xrefs: 00353F46
|, xrefs: 00354216
4, xrefs: 00353FE2
B, xrefs: 00354144
}, xrefs: 00354390
7, xrefs: 00353FD6
z, xrefs: 003541EC
:, xrefs: 00354253
>, xrefs: 00353F4E
d, xrefs: 0035423F
j, xrefs: 00354247
\, xrefs: 00354136
r, xrefs: 003541B4
~, xrefs: 00354208
-, xrefs: 003541BB
8, xrefs: 00353F4A
0, xrefs: 00353FD2

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: &$&$($-$/$0$0$1$1$2$4$7$8$:$>$>$?$?$@$@$A$B$D$F$H$J$L$N$N$Q$V$X$\$^$`$b$d$f$f$h$h$j$l$n$n$p$q$r$t$v$x$x$z$|$}$~
API String ID: 0-1862720121
Opcode ID: f814ce14f25999004f94f8e749f0b8a2898d8a7a3191ecacd4167dbac74c6b5d
Instruction ID: 8c94a61d21024bf3c7c314926f5e5100db4ab5ad6f6b9d342ecf941c0106383d
Opcode Fuzzy Hash: f814ce14f25999004f94f8e749f0b8a2898d8a7a3191ecacd4167dbac74c6b5d
Instruction Fuzzy Hash: 1E025121D087D989DB22C67C8C493CDBFA11B63324F1843DDD5E86B3D6D6B90549CB62

Function 0036A4EF Relevance: 54.1, Strings: 43, Instructions: 311COMMON

Download Yara Rule

Strings

o, xrefs: 0036A5D4
9, xrefs: 0036A541
n, xrefs: 0036A7E7
i, xrefs: 0036A5AA
%, xrefs: 0036A525
3, xrefs: 0036A54F
i, xrefs: 0036A7C4
y, xrefs: 0036A61A
a, xrefs: 0036A78C
w, xrefs: 0036A60C
k, xrefs: 0036A5B8
m, xrefs: 0036A5C6
>, xrefs: 0036A764
M, xrefs: 0036A6A6
C, xrefs: 0036A660
E, xrefs: 0036A66E
L, xrefs: 0036A69F
:, xrefs: 0036A509
m, xrefs: 0036A7E0
x, xrefs: 0036A533
K, xrefs: 0036A698
s, xrefs: 0036A5F0
o, xrefs: 0036A7EE
a, xrefs: 0036A572
u, xrefs: 0036A5FE
c, xrefs: 0036A580
k, xrefs: 0036A7D2
I, xrefs: 0036A68A
g, xrefs: 0036A7B6
q, xrefs: 0036A5E2
{, xrefs: 0036A628
g, xrefs: 0036A59C
A, xrefs: 0036A652
e, xrefs: 0036A7A8
=, xrefs: 0036A517
D, xrefs: 0036A4FB
+, xrefs: 0036A55D
e, xrefs: 0036A58E
0, xrefs: 0036A936
<, xrefs: 0036A75B
c, xrefs: 0036A79A
G, xrefs: 0036A67C
}, xrefs: 0036A636

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: %$+$0$3$9$:$<$=$>$A$C$D$E$G$I$K$L$M$a$a$c$c$e$e$g$g$i$i$k$k$m$m$n$o$o$q$s$u$w$x$y${$}
API String ID: 0-1785674967
Opcode ID: 49feeb77b8548412dcbe9dc93e8a7744d1eae9216e32d1045bc0ed1e98c690a8
Instruction ID: 650874c775afd374e225c80bb0f4f5fd43e5dc0052cbe185ccb7e6b202b40915
Opcode Fuzzy Hash: 49feeb77b8548412dcbe9dc93e8a7744d1eae9216e32d1045bc0ed1e98c690a8
Instruction Fuzzy Hash: F3F16131908AE98ADB22C63C8C443DDBFB15B52324F1847D9D0A9AB3D2C7754B85CB62

Function 00369923 Relevance: 50.4, Strings: 40, Instructions: 391COMMON

Download Yara Rule

Strings

H, xrefs: 00369AEF
i, xrefs: 00369B2F
T, xrefs: 00369BCF
=, xrefs: 00369B8F
x, xrefs: 00369B7F
=, xrefs: 00369A01
1, xrefs: 003699BB
_, xrefs: 00369ABF
*, xrefs: 00369A7F
], xrefs: 00369ACF
S, xrefs: 00369A8F
w, xrefs: 00369B17
t, xrefs: 00369B5F
$, xrefs: 003699E5
Y, xrefs: 00369AE7
~, xrefs: 00369B3F
f, xrefs: 00369E23
j, xrefs: 00369B37
2, xrefs: 00369A55
Z, xrefs: 00369AF7
I, xrefs: 00369D0E
e, xrefs: 00369E1C
{, xrefs: 00369B77
=, xrefs: 00369A1D
i, xrefs: 00369B6F
G, xrefs: 00369AD7
F, xrefs: 00369A97
7, xrefs: 00369A71
<, xrefs: 00369A0F
r, xrefs: 00369BB7
j, xrefs: 00369B1F
S, xrefs: 00369D26
O, xrefs: 00369D16
4, xrefs: 00369DFF
F, xrefs: 00369AC7
-, xrefs: 003699AD
5, xrefs: 003699D7
s, xrefs: 00369B4F
c, xrefs: 00369B07
U, xrefs: 00369AFF

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: $$*$-$1$2$4$5$7$<$=$=$=$F$F$G$H$I$O$S$S$T$U$Y$Z$]$_$c$e$f$i$i$j$j$r$s$t$w$x${$~
API String ID: 0-3597792095
Opcode ID: fd5f8e65e49aa640689995fb4ff51e45098a83ac1c1949a15559c951679ad3e2
Instruction ID: 6ef830eafe90f54d53ec480acf54993639a1e65dda0342e8a3552f86996b7070
Opcode Fuzzy Hash: fd5f8e65e49aa640689995fb4ff51e45098a83ac1c1949a15559c951679ad3e2
Instruction Fuzzy Hash: A5223F219087EA89DB32C67C8C483CDBFA15B67224F1843D9D4F86B3D6C7750A46CB66

Function 00355100 Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 481COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 003551AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00355243

Strings

.T'j, xrefs: 003553BB
C`<f, xrefs: 003553D3
?P:V, xrefs: 003553B3
XY, xrefs: 00355146
,X*^, xrefs: 003553A3
%\)R, xrefs: 003553AB
]R5, xrefs: 00355257
+$e, xrefs: 003551F2
+$e, xrefs: 0035517A, 00355165
1D6Z, xrefs: 0035539B
:@&F, xrefs: 00355393

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]R5
API String ID: 237503144-1741660546
Opcode ID: b3f3fb3e39dfae82a42c15d0ad81dad61351fe1788cc8f7923f937dfda68a301
Instruction ID: dcc8546b861bda54d93d3fc1de4e39caa308688882f0437fe0426c199d5de470
Opcode Fuzzy Hash: b3f3fb3e39dfae82a42c15d0ad81dad61351fe1788cc8f7923f937dfda68a301
Instruction Fuzzy Hash: EFF1DEB02483409FD721DF69D89176BBBE0FFC5314F15892CE5998B361E7B8990ACB42

Function 0036B870 Relevance: 21.9, APIs: 2, Strings: 10, Instructions: 888COMMON

Download Yara Rule

Strings

96, xrefs: 0036BE52
M, xrefs: 0036BB5B
:;$%, xrefs: 0036C2EC
k"@ , xrefs: 0036BE3A
F*R(, xrefs: 0036BE2A
#~|, xrefs: 0036B89D
[&h$, xrefs: 0036BE32
n:T8, xrefs: 0036BE4A
e?^, xrefs: 0036BC4F
#~|, xrefs: 0036B8A7

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 0-2807872674
Opcode ID: 8c15b0c5fd825ed45cfc52af7ce4a264d184d9386abbebb02a1ce1950df7b4aa
Instruction ID: c820b81fb8f369e5d1262fb055c4fec63f278e7aa8de74429bb99ee24b34468b
Opcode Fuzzy Hash: 8c15b0c5fd825ed45cfc52af7ce4a264d184d9386abbebb02a1ce1950df7b4aa
Instruction Fuzzy Hash: 7D5200726183408BD724CF28C8917ABFBE5EF86314F18DA2DE5D58B291D774D806CB92

Function 00355D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON

Download Yara Rule

Strings

-T,j, xrefs: 0035636E
+\1R, xrefs: 0035635A
uVw, xrefs: 00355EA0
qs, xrefs: 00355E96
Wdz, xrefs: 00356396
$@7F, xrefs: 0035633C
&$, xrefs: 003566A0
2E1G, xrefs: 00356876
4D2Z, xrefs: 00356346
T`Sf, xrefs: 0035638C
8I>K, xrefs: 00356858
(X#^, xrefs: 00356350

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: 7427dfd3afc6268f06e0baf39e12d661d9d7692f91b478123317a1c834244110
Instruction ID: ebc3483fe7741b8310789d885f903684d70acd3db78a3ffe7436f338a31a1ef6
Opcode Fuzzy Hash: 7427dfd3afc6268f06e0baf39e12d661d9d7692f91b478123317a1c834244110
Instruction Fuzzy Hash: 747272B4A05269CFDB25CF55D881BDDBBB2FB46300F1581E8C5496B362DB349A86CF80

Function 00349840 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00349CE7
FreeLibrary.KERNEL32(?), ref: 00349D24

Part of subcall function 003702C0: LdrInitializeThunk.NTDLL(0037316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 003702EE

Strings

vt, xrefs: 00349AFC
SP, xrefs: 00349BF2
if, xrefs: 00349B1C
pv, xrefs: 00349BB2
tj, xrefs: 00349BBA
~|, xrefs: 00349B2E

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$SP$if$pv$tj$vt
API String ID: 764372645-1422159894
Opcode ID: 002f6e0b5838b65e0884fb066b50e531cdf08ee9ce5777c4fcb83c7e2e654a46
Instruction ID: 4757c39c0df532f08cc8a3d73e7bc9a540005bf1fb454c0781108f060e282c37
Opcode Fuzzy Hash: 002f6e0b5838b65e0884fb066b50e531cdf08ee9ce5777c4fcb83c7e2e654a46
Instruction Fuzzy Hash: 556204706483009FE726CF1ACC8176BB7E6EB85324F158A1DE4999F2A1E371BC45CB52

Function 00347405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON

Download Yara Rule

Strings

O, xrefs: 00347625
~, xrefs: 00348158
5&'d, xrefs: 003475E5

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 5&'d$O$~
API String ID: 0-1622812124
Opcode ID: 3b68a5027ed276fc01518d51407462741c6ac2d3f6e22bfa00363a9c565fa9c0
Instruction ID: 3c0d468b799cdf80e42d64048fd5fbdd6e6521256a0c477e6b7fbe6bec4f13af
Opcode Fuzzy Hash: 3b68a5027ed276fc01518d51407462741c6ac2d3f6e22bfa00363a9c565fa9c0
Instruction Fuzzy Hash: BB82127150C3518FC325CF28C8917ABB7E1FF99314F198A6CE4C99B291E738A945CB92

Function 00500D52 Relevance: 12.8, Strings: 9, Instructions: 1540COMMON

Download Yara Rule

Strings

:Q~j, xrefs: 00501329
#"9g, xrefs: 005016AA
r$, xrefs: 005010B9
`z#, xrefs: 00501E3E
gw, xrefs: 00501FCD
Oe_, xrefs: 005013B2
/>q,, xrefs: 005015E2
gw, xrefs: 00501FBA
bY~{, xrefs: 00501232

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: #"9g$/>q,$:Q~j$Oe_$bY~{$gw$gw$r$$`z#
API String ID: 0-1519356616
Opcode ID: 2df2c0adbc74ac0efda2c073b8549bd05382c64b26b318c2575356ef3aa91d74
Instruction ID: 49f9a1058036af1516053c8332d03e4854c067f04d85f77af86da95c11f838a1
Opcode Fuzzy Hash: 2df2c0adbc74ac0efda2c073b8549bd05382c64b26b318c2575356ef3aa91d74
Instruction Fuzzy Hash: B2B2F5F3A082109FE3046E2DDC8567AF7E9EF94720F1A492DEAC4C7744E63598418797

Function 003557E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 003558F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0035595D

Strings

)RSP, xrefs: 003559A1
`J/H, xrefs: 00355826
=^"\, xrefs: 00355ABF
rp, xrefs: 00355834
B"@, xrefs: 00355818

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: 0bfe49fab61bdc0c1192ffef204e03077252083937e72eb439f02a8fceab2299
Instruction ID: 16a9a8449e0be49eef94ef5f938854a972adf545bf666e4cdd771b2c6ab99ec7
Opcode Fuzzy Hash: 0bfe49fab61bdc0c1192ffef204e03077252083937e72eb439f02a8fceab2299
Instruction Fuzzy Hash: B9A122B2E402188FDB11CFA8DC82BEEBBB1FB85314F154169E414AB291D7B59942CF90

Function 00345720 Relevance: 11.8, Strings: 8, Instructions: 1798COMMON

Download Yara Rule

Strings

9?4<, xrefs: 00346345
BYQZ, xrefs: 00346286
R(RW, xrefs: 00346265
L, xrefs: 003462B2
F2}0, xrefs: 00345A76
a, xrefs: 003463D3
DASS, xrefs: 0034629C
NR@:, xrefs: 00346291

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3642574725
Opcode ID: aecede5c6d2cc00decb0ccfd0b1876e3721cc07fcb05efb227a6a8c40ad6303d
Instruction ID: cda394f966de8a48fd5a8d07ac80bca69d4dd446b840d84656497d2b43364ae9
Opcode Fuzzy Hash: aecede5c6d2cc00decb0ccfd0b1876e3721cc07fcb05efb227a6a8c40ad6303d
Instruction Fuzzy Hash: 57C22771A08341DFD7269F28C8967ABB7E5FF86314F19892CE4C98B251DB34A941CB43

Function 0034C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

*H%N, xrefs: 0034C8EF
+P%V, xrefs: 0034C8FD
C`6f, xrefs: 0034C73C, 0034CBB1, 0034CC7D
2T'Z, xrefs: 0034C904
,X0^, xrefs: 0034C90B
C`6f, xrefs: 0034C919
,\/b, xrefs: 0034C912
4D"J, xrefs: 0034C8E8

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: b40dcaa97c689b5d18b6542967b53789f43913492e19152c80e48fecfc5524fe
Instruction ID: 3e966a2b0ea4759b6adf8fd2afbce287c716499d9dc8d709bf53e188e19977ff
Opcode Fuzzy Hash: b40dcaa97c689b5d18b6542967b53789f43913492e19152c80e48fecfc5524fe
Instruction Fuzzy Hash: A53256B59112118BCB25CF24C8923BBB7B2FF95314F29929CD841AF395E775A802CBD1

Function 00350D90 Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

>C;M"G3A, xrefs: 003511E3
2W<Q, xrefs: 00350F46
>C;M, xrefs: 00350F2E
?S2], xrefs: 00350F4E
<O)I, xrefs: 00350F36
%K9U, xrefs: 00350F3E
?_%Y, xrefs: 00350F56
"G3A, xrefs: 00351026

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: "G3A$%K9U$2W<Q$<O)I$>C;M$>C;M"G3A$?S2]$?_%Y
API String ID: 0-2668584225
Opcode ID: bb546d702df7bf768976049f5038b7a04da060acdecff34fbf358cb8132bf571
Instruction ID: 90da96aaea783efb8ed952b12ae5e1ab5d99d210f804b8cc52d1ebcce20af8c3
Opcode Fuzzy Hash: bb546d702df7bf768976049f5038b7a04da060acdecff34fbf358cb8132bf571
Instruction Fuzzy Hash: 0CE1F0755083108BC325DF64C892B6BB7F1EFD6314F098A1CE8D68B3A4E3759909CB92

Function 00357860 Relevance: 10.4, Strings: 8, Instructions: 409COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00357C10, 00357C14, 00357D78
]_, xrefs: 003579C8
+5, xrefs: 0035794C
J+, xrefs: 003579D3
JW, xrefs: 003579BD
/), xrefs: 00357944
r}5, xrefs: 00357D60
3=, xrefs: 0035795C

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: J+$JW$]_$bX_^$r}5$+5$/)$3=
API String ID: 0-3496142750
Opcode ID: e5b05e6f712d30b41665a040488963b81b525e1b47cacd4858314adc79a4f5f7
Instruction ID: c49d2931154d193eeb13d86a478cf8eaad20ffce122c8772b6575277d61450bd
Opcode Fuzzy Hash: e5b05e6f712d30b41665a040488963b81b525e1b47cacd4858314adc79a4f5f7
Instruction Fuzzy Hash: 22D1DDB560C340DFE7258F25D881B6BB7F6FB86301F14892DF5998B2A1D7349909CB42

Function 0050272A Relevance: 10.4, Strings: 7, Instructions: 1614COMMON

Download Yara Rule

Strings

{uo;, xrefs: 00503498
eV, xrefs: 00502843
_!<, xrefs: 0050296D
f6{#, xrefs: 00503563
vvof, xrefs: 005039D8
Dj|\, xrefs: 00502FB3
6j?M, xrefs: 00502C59

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: _!<$6j?M$Dj|\$eV$f6{#$vvof${uo;
API String ID: 0-1829391125
Opcode ID: d1129c09f18c0885892c29f9ddd4208173e77af463c75b221c08017c879ac222
Instruction ID: d5c9aa655c5b099d9af1355d9da1f99a48b0fa336e9f715a4d9b0495296c9edf
Opcode Fuzzy Hash: d1129c09f18c0885892c29f9ddd4208173e77af463c75b221c08017c879ac222
Instruction Fuzzy Hash: AFB2D6F360C2049FE708AE2DEC8567AB7E9EF94320F16493DE6C5C3744EA3598058697

Function 004F1D1B Relevance: 10.4, Strings: 7, Instructions: 1602COMMON

Download Yara Rule

Strings

1, xrefs: 004F232D
/Z3G, xrefs: 004F2D80
xEK+, xrefs: 004F2CAD
73w, xrefs: 004F2A8B
bbO, xrefs: 004F22B5
'\Y/, xrefs: 004F2385
/uxo, xrefs: 004F1DC7

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 1$'\Y/$/Z3G$/uxo$73w$bbO$xEK+
API String ID: 0-1881448141
Opcode ID: 167299f46e447b36e71095d19ac7453b640244c5095fc7609341894e0e11df21
Instruction ID: 0b429965a506722143e7e89521a98b83c8946e4a5f36247095f81d7b6d2d094c
Opcode Fuzzy Hash: 167299f46e447b36e71095d19ac7453b640244c5095fc7609341894e0e11df21
Instruction Fuzzy Hash: E1B207F360C204AFE304AE29EC8567ABBE9EF94320F16493DE6C5C7744EA3558418797

Function 004F0325 Relevance: 9.1, Strings: 6, Instructions: 1583COMMON

Download Yara Rule

Strings

z@4, xrefs: 004F10CC
3p|, xrefs: 004F1119
"ax, xrefs: 004F0888
<Y/5, xrefs: 004F074D
3|N, xrefs: 004F0414
Hr?, xrefs: 004F1331

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: "ax$3p|$3|N$<Y/5$z@4$Hr?
API String ID: 0-900565547
Opcode ID: bd3811ba395b089acc3575a6ff5d55bbc20d7ac414b6d20dd7ea78ccc6c841f4
Instruction ID: 1ae88779e2ef45c7fa723395375fbe54fe4621317e8f0b32a832cece19bfa8ab
Opcode Fuzzy Hash: bd3811ba395b089acc3575a6ff5d55bbc20d7ac414b6d20dd7ea78ccc6c841f4
Instruction Fuzzy Hash: 12B207F360C204AFE7046E2DEC8567ABBE9EF94620F1A493DEAC5C7344E63558018797

Function 003486FC Relevance: 8.5, Strings: 6, Instructions: 1000COMMON

Download Yara Rule

Strings

NmNo, xrefs: 003488F5
H)G+, xrefs: 00348852
]a_c, xrefs: 00348871
tu, xrefs: 00348829
<, xrefs: 0034913F
+, xrefs: 00348DD8

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: +$<$H)G+$NmNo$]a_c$tu
API String ID: 0-4096164410
Opcode ID: a398d55332b6e0a6bbd1ebcc29f21bb5cfa9c4af012b429e787d1c6db8d15298
Instruction ID: 79967b8352e3d1cc05ac00f0a2c2697b812d74681ec3f5067d79e7e3c882ac65
Opcode Fuzzy Hash: a398d55332b6e0a6bbd1ebcc29f21bb5cfa9c4af012b429e787d1c6db8d15298
Instruction Fuzzy Hash: D3522370108340CFD7268F29C8917ABB7E5FF86324F198A1CE4DA9F291DB35A945CB52

Function 0033AE30 Relevance: 7.8, Strings: 6, Instructions: 344COMMON

Download Yara Rule

Strings

}v, xrefs: 0033AED8
8)*6, xrefs: 0033B229, 0033B1C3, 0033B1B7, 0033B215, 0033B064, 0033B232, 0033B25C, 0033B084
Ds, xrefs: 0033AEE8
]f, xrefs: 0033B021, 0033B025
8)*6, xrefs: 0033B0B0
:33F, xrefs: 0033B0A4

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 8)*6$8)*6$:33F$Ds$]f$}v
API String ID: 0-771823803
Opcode ID: 985864724a53aac61b0f3a3a95249ead1ca1e9453d1a404e5601573dd0ec8484
Instruction ID: a29a2aee124fa4b01ea0c9370bb70d6b6e4351e85d4fe7a94264546523241f28
Opcode Fuzzy Hash: 985864724a53aac61b0f3a3a95249ead1ca1e9453d1a404e5601573dd0ec8484
Instruction Fuzzy Hash: 2DB1257560C3408BD326CF6884A46AFFBE2AFD2304F19892CE5D58B351D775C90ACB96

Function 004F3762 Relevance: 7.8, Strings: 5, Instructions: 1570COMMON

Download Yara Rule

Strings

wS_W, xrefs: 004F49C3
Nl, xrefs: 004F3EA0, 004F3EE2, 004F4066
Rx~w, xrefs: 004F3F9A
ZjOo, xrefs: 004F3F3D
LXf_, xrefs: 004F39B3

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: LXf_$Rx~w$ZjOo$wS_W$Nl
API String ID: 0-4285272670
Opcode ID: 93d90ba01172154dd8445b38c2948cb82120cd983aeef1f213c4088c44b7d64a
Instruction ID: b2093966826f6918edf8eb10f8e63488b84053efd46bb15b5804e8c095e5c16a
Opcode Fuzzy Hash: 93d90ba01172154dd8445b38c2948cb82120cd983aeef1f213c4088c44b7d64a
Instruction Fuzzy Hash: 3BB2D4F360C6009FE304AE29EC8567AFBE9EF94720F1A493DE6C4C7744E63598418697

Function 00355AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

)RSP, xrefs: 003559A1
B:, xrefs: 00355C36
=^"\, xrefs: 00355ABF
C@, xrefs: 00355C40
bX_^, xrefs: 00355BBD
K3, xrefs: 00355C4A

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: ed2434ee94ff94b04772b75723af7f378e882f975f1f8fa8bc949a9c234e459e
Instruction ID: 9fe8689e5a41f3d57a3b067ecde6bbfc1a15ef91fbbf275f34ccf9a0fea73e1a
Opcode Fuzzy Hash: ed2434ee94ff94b04772b75723af7f378e882f975f1f8fa8bc949a9c234e459e
Instruction Fuzzy Hash: 25B101B6E002188FDB20CF68DC427DEBBB1FB85314F5981A9E418AB251D77859468FD1

Function 004FF692 Relevance: 7.6, Strings: 5, Instructions: 1311COMMON

Download Yara Rule

Strings

lTl#, xrefs: 004FF9D3
45G, xrefs: 004FFE1A
Eu, xrefs: 004FFAFE
q1_w, xrefs: 004FF9CD
CKa, xrefs: 00500661

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: CKa$Eu$lTl#$q1_w$45G
API String ID: 0-1761999998
Opcode ID: 20b790c79cd167623d03bfadc83d7d4f0209be729ec88707e42f7d0a927161bf
Instruction ID: e1a4de10fd7776850037b6de42242d641d5e6d7830c874fe701e2f0381677505
Opcode Fuzzy Hash: 20b790c79cd167623d03bfadc83d7d4f0209be729ec88707e42f7d0a927161bf
Instruction Fuzzy Hash: 249238F39082149FE3046E29EC8567AFBE9EF94720F1A493DEAC4C3744EA7558018796

Function 0036F150 Relevance: 6.8, Strings: 5, Instructions: 524COMMON

Download Yara Rule

Strings

S"(w, xrefs: 0036F220
f, xrefs: 0036F3AD
d5fg, xrefs: 0036F1EF
S"(w, xrefs: 0036F44C
d5fg, xrefs: 0036F1B0, 0036F195

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$d5fg$d5fg$f
API String ID: 2994545307-2961185688
Opcode ID: 215f0dbdaba7ebf2ccac097d7eab531cd696e48ee735c0f74798dffe76c0f2a8
Instruction ID: 8254cf9e4b76c8438eb6645293467f46c727d7d3d34810a20977aaf7671daa0e
Opcode Fuzzy Hash: 215f0dbdaba7ebf2ccac097d7eab531cd696e48ee735c0f74798dffe76c0f2a8
Instruction Fuzzy Hash: 5612E131A083519FC326CF19D880A2BBBE5AFC5314F15CA2CE9A55B3A5D771EC05CB92

Function 00358437 Relevance: 6.7, Strings: 5, Instructions: 469COMMON

Download Yara Rule

Strings

J'N!, xrefs: 00358B3B
"#, xrefs: 00358B43
LMR|, xrefs: 00358848
vu~r, xrefs: 00358868
H}}C, xrefs: 00358850

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: "#$H}}C$J'N!$LMR|$vu~r
API String ID: 0-1530353048
Opcode ID: f4ec04c095bf87bb331138f4f64a60bf18c70400d546c089067b801d0cf875f7
Instruction ID: e989cf7e2cd666d2fcf6d58cf73c596c51794ee08f9ea9b5c78ca9fb1b5a5fab
Opcode Fuzzy Hash: f4ec04c095bf87bb331138f4f64a60bf18c70400d546c089067b801d0cf875f7
Instruction Fuzzy Hash: ABE19AB150C380CFD7128F28988066BBBE5AF86305F194D6DFDC99B252EB35D909CB52

Function 003342B0 Relevance: 6.7, Strings: 5, Instructions: 464COMMON

Download Yara Rule

Strings

), xrefs: 0033432D
), xrefs: 00334337
IEND, xrefs: 0033478F
IDAT, xrefs: 0033471B
IHDR, xrefs: 003346AC

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: bcb1bd8460aaaf8d7acee29e9483d991e9dad74383df7d3ad26411db30e7db35
Instruction ID: 59661520743c8a8c6028524140d3b9672e24150221c74d14fc7ae2a9c5337e29
Opcode Fuzzy Hash: bcb1bd8460aaaf8d7acee29e9483d991e9dad74383df7d3ad26411db30e7db35
Instruction Fuzzy Hash: AC0225746083848FD715CF29D89176BBBE1EF86304F04866DF9998B392D375E908CB92

Function 003392A0 Relevance: 6.7, Strings: 5, Instructions: 452COMMON

Download Yara Rule

Strings

RRP\, xrefs: 0033973E
P, xrefs: 0033948B
#"2., xrefs: 003393C2
!oW1, xrefs: 003393CA
C, xrefs: 0033960D

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: !oW1$#"2.$C$P$RRP\
API String ID: 0-2182630447
Opcode ID: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction ID: 0f26a11ae75104add8ddd09fc0f60d559b1ca25215b64cf9f83fd8d9dbffbf07
Opcode Fuzzy Hash: 9e5b2cc2ab5d07adaa8a414532c7643901df2a50596dff6e5731d4bc268ab305
Instruction Fuzzy Hash: 50C1077121C3928BD3168F29C49136BBFE2AFD3304F18896DE4D54B386D779850AC792

Function 00359FE4 Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

,fbV, xrefs: 0035A353
ooKv, xrefs: 0035A363
lvhu, xrefs: 0035A34B
d~`}, xrefs: 0035A35B
sf, xrefs: 0035A36B

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: ,fbV$d~`}$lvhu$ooKv$sf
API String ID: 0-4157365443
Opcode ID: 5c3887f74e1e9e98471d6afe690845b18edae1bc42e70f41fe7221754ca8f14c
Instruction ID: 7eac77fc9e801c67166ec064aa1d2803bb8740a1a1db376d409661111180879e
Opcode Fuzzy Hash: 5c3887f74e1e9e98471d6afe690845b18edae1bc42e70f41fe7221754ca8f14c
Instruction Fuzzy Hash: E1E129B150C7418FD725CF18C8817ABB7E2AFD1304F098A2CE9D58B352E679E908D782

Function 0033D545 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

9Y, xrefs: 0033D854
|qay, xrefs: 0033D641
~wxH, xrefs: 0033D64F
&W-Q, xrefs: 0033D7B9
?C*], xrefs: 0033D7A4

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 0-1959178137
Opcode ID: 4e8c6073f0d438bd973bde7c141b256e1d056a07236fa42fb5885691e5e82241
Instruction ID: ee1723d0f46f7bc02174d9d2b6aea25c58eebd9756503db2eb24f0114e4afa09
Opcode Fuzzy Hash: 4e8c6073f0d438bd973bde7c141b256e1d056a07236fa42fb5885691e5e82241
Instruction Fuzzy Hash: C2B105756047818BD326CF2AC4D1762BBE2FB96300F18D5ACC4D64FB46D738A856CB91

Function 00339790 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

*+, xrefs: 00339B1E
kh, xrefs: 00339BE3
{u, xrefs: 00339A7E
nz, xrefs: 003398E3

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: *+$kh$nz${u
API String ID: 0-424779605
Opcode ID: 108f14f6b432ab71a797954b87112a837cc236338646ffd2602c00585937c3dd
Instruction ID: e28e73c9f97b156d6db726075a8dea25e5dea93489cf02d854f441f63ad3085c
Opcode Fuzzy Hash: 108f14f6b432ab71a797954b87112a837cc236338646ffd2602c00585937c3dd
Instruction Fuzzy Hash: 37D103716087508BD725CF34C891BABBBE6EFC1318F19896DE4D58B392D674C80ACB46

Function 0035FCBC Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

_Pna, xrefs: 0035FD26
BVAI, xrefs: 0035FF6A
t, xrefs: 0035FCCC
mc, xrefs: 0035FDF9

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: BVAI$_Pna$mc$t
API String ID: 0-1770441902
Opcode ID: f5c72f6cfd8097d1184805eb84af3bc33776c25c062fbf30f62036fd4cb19b1f
Instruction ID: 2f9b3babacbdcbd295866e59176a6cc39c2a0a2978fb7e28f0277d62700d4a44
Opcode Fuzzy Hash: f5c72f6cfd8097d1184805eb84af3bc33776c25c062fbf30f62036fd4cb19b1f
Instruction Fuzzy Hash: C9A1E37050C3C18EE33ACF2980107ABBBE1AFD7305F18896DD4D997292D779854ACB56

Function 0035EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

0, xrefs: 0035ED00
D, xrefs: 0035ED68
4b, xrefs: 0035EDDA
8<j?, xrefs: 0035ED50

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: 650b82ccd3809ab14e0cc30b432b60d847c9d429b7b1f657eb8071aa711abc79
Instruction ID: 66e9fb734b71e726d2d550078d144e775c204930258f2a102ec65ff698f1bd67
Opcode Fuzzy Hash: 650b82ccd3809ab14e0cc30b432b60d847c9d429b7b1f657eb8071aa711abc79
Instruction Fuzzy Hash: 6991086021C3818BD31ECF39846277BFBD29FD6315F29896DE8D6CB291D278C5099712

Function 0035A9F7 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

bt, xrefs: 0035AE84
zi, xrefs: 0035AE8C
v, xrefs: 0035ACB0
v, xrefs: 0035AD90, 0035AE5D, 0035ADD1, 0035AE45, 0035AC34, 0035AC4B, 0035AB80, 0035ABC1

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: v$v$bt$zi
API String ID: 0-1945541540
Opcode ID: 80efac398f9432a9346d009aeded6830b5e99963af3411ebfe322f1376e77006
Instruction ID: 145b45806d37073be5b74ae5a6854ab8e66f85346578451f393a973f46da2525
Opcode Fuzzy Hash: 80efac398f9432a9346d009aeded6830b5e99963af3411ebfe322f1376e77006
Instruction Fuzzy Hash: 16D1587260C3558FD725CF28D45079FFBE6EBC4304F06892DE8A99B281D774D60A8B86

Function 0034BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

WT, xrefs: 0034BD39
,D,J, xrefs: 0034BD19
9HiN, xrefs: 0034BD21
'P0V, xrefs: 0034BD31

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 03ae2518680a75f668fad85bef1520240b5476575a50bb3c391350eb794466ad
Instruction ID: 62f799db0bac8c0efd17a26fe6f9d7f7c718fcc1e792949eaa9284cc421b345d
Opcode Fuzzy Hash: 03ae2518680a75f668fad85bef1520240b5476575a50bb3c391350eb794466ad
Instruction Fuzzy Hash: C7B1227664D3559BD304CF62D8802AFBBE2FBC1314F098D2CE1C89B351D779994A8B82

Function 004F9098 Relevance: 4.6, Strings: 3, Instructions: 862COMMON

Download Yara Rule

Strings

Di{{, xrefs: 004F985C
3df[, xrefs: 004F92F4
V%, xrefs: 004F9A1F

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 3df[$Di{{$ V%
API String ID: 0-2334815800
Opcode ID: df8ce83d45f653e7253902d1eebbfe2e9a4ddfba14b8cdbd1caf808903b428e8
Instruction ID: 901f26d1f2f54dc04c11ef15d120c0561f3d9baf47420acaa2454266f3370188
Opcode Fuzzy Hash: df8ce83d45f653e7253902d1eebbfe2e9a4ddfba14b8cdbd1caf808903b428e8
Instruction Fuzzy Hash: 1D422BF3A082009FE7046E2DEC8577ABBE9EFD4720F16453DEAC4D3744EA3598058696

Function 00351E70 Relevance: 4.2, Strings: 3, Instructions: 435COMMON

Download Yara Rule

Strings

defgau`c, xrefs: 00351FCA
(ijkdefgau`c, xrefs: 00351FBE
au`c, xrefs: 00351FC6

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: (ijkdefgau`c$au`c$defgau`c
API String ID: 0-3415814675
Opcode ID: 417be931a8213e2847a685a7c0d9ab75eb8f0846b37abef959b1623d2869777c
Instruction ID: 702c78e800bdc8052d3d8c17f18493f45cea95e4f60592b50c612645fb82d1ce
Opcode Fuzzy Hash: 417be931a8213e2847a685a7c0d9ab75eb8f0846b37abef959b1623d2869777c
Instruction Fuzzy Hash: C3D1E0B16083408FD715DF28C891B6BBBE1EFC6354F18892CE9858B3A1E775D909CB52

Function 00364CEF Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

$, xrefs: 00364DE6
K, xrefs: 00364DDE
., xrefs: 00364DE2

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: $$.$K
API String ID: 0-4278605028
Opcode ID: deb763cd84808a36797b44d5e710a70fae2d39121224f154c3f14bf0c025357a
Instruction ID: ee7206ac452c9e877cf8f2b3c400ddffd62b683d2e5c9179cf9e09adec67e0d6
Opcode Fuzzy Hash: deb763cd84808a36797b44d5e710a70fae2d39121224f154c3f14bf0c025357a
Instruction Fuzzy Hash: 72029D71614BC08BE3198F3DC891352BFE2AB56304F0CC9ADD4DACB78BC229E5458B65

Function 004F6CAD Relevance: 4.2, Strings: 2, Instructions: 1668COMMON

Download Yara Rule

Strings

bj=, xrefs: 004F7602
xJ/, xrefs: 004F6F88

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: bj=$xJ/
API String ID: 0-3137969257
Opcode ID: 27bf07aa0bc0086a10b74aa495730c7fbeb7ae5f3bfbb0a5989813a2e51e231c
Instruction ID: c081689aefc17e5cde84e875a6bbf5cccd2a31fe54fe14d4b2245056906d4eaf
Opcode Fuzzy Hash: 27bf07aa0bc0086a10b74aa495730c7fbeb7ae5f3bfbb0a5989813a2e51e231c
Instruction Fuzzy Hash: 74B217F390C2049FE3146E2DEC8567AFBE9EF94720F1A493DEAC4C3744EA3558058696

Function 004FD7EB Relevance: 4.2, Strings: 2, Instructions: 1657COMMON

Download Yara Rule

Strings

d<}, xrefs: 004FEB29
.i]{, xrefs: 004FDB90

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: .i]{$d<}
API String ID: 0-322904339
Opcode ID: ba68cdd188b874a648653776e8b300472b46a9d9f41d4909f3d3ef5c17229d50
Instruction ID: b05d80011e48e8cf2a9e6a1e7d12ede4897617cfba432e9eb5952dde8a458f12
Opcode Fuzzy Hash: ba68cdd188b874a648653776e8b300472b46a9d9f41d4909f3d3ef5c17229d50
Instruction Fuzzy Hash: 0FB22AF36082049FE304AE2DEC85B7ABBD9EF94720F1A463DEAC5C3744E93558058697

Function 0035EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0035ED68
4b, xrefs: 0035EDDA
8<j?, xrefs: 0035ED50

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d12764648f240636ba32d8084ef4db739841702826302952e02b580170fb8c27
Instruction ID: 09702d19ec2e1a56e8230a6cc4ba85c3c2baa0040dcc34442769a10e703b6d06
Opcode Fuzzy Hash: d12764648f240636ba32d8084ef4db739841702826302952e02b580170fb8c27
Instruction Fuzzy Hash: 0F81296021C3818BD71ECF3984A177AFFD29FD6315F2D896DE8D68B291D238C50A8712

Function 0035EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

D, xrefs: 0035ED68
4b, xrefs: 0035EDDA
8<j?, xrefs: 0035ED50

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 64b380026c9c77e4633c8d4ceb0c5c3081faf991fa15e73e5faa003750cafe7e
Instruction ID: 80d8f9ac3a04cd36f227275bdb279d00cf41ce4dd369ebb6a9516db25bd23191
Opcode Fuzzy Hash: 64b380026c9c77e4633c8d4ceb0c5c3081faf991fa15e73e5faa003750cafe7e
Instruction Fuzzy Hash: 6781196021C3818BD71ECF39846177AFFD29FD6315F2D896DE8D68B291D238C50A8752

Function 00338F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

#=0, xrefs: 00338FC5
ut, xrefs: 003390E1
Z, xrefs: 003390E8

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: d023be2e99e754d1baa811640b2cf0a1e1719764d3fc014e300daab8854a11a0
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 3581173150C7828AD7068F39C49036BFFE1AF93314F1849AEE4D19B396D769C50AC752

Function 0035EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

D, xrefs: 0035ED68
4b, xrefs: 0035EDDA
8<j?, xrefs: 0035ED50

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 3106ab1147936f8be7e0f6db6a6d66b5da8cfa3703f6d96e69db037d2dac4831
Instruction ID: c2051a3dbca54152e3587abe9ffb659529c0e407b188cc89604daed1429673b0
Opcode Fuzzy Hash: 3106ab1147936f8be7e0f6db6a6d66b5da8cfa3703f6d96e69db037d2dac4831
Instruction Fuzzy Hash: D88108602183818BD31ECF3988A177AFFD29FD6315F2D896DE4D58B291D238C50A8B56

Function 00372D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

D`a&, xrefs: 00372ED5
bX_^, xrefs: 00372D22
NMNO, xrefs: 00372E20

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: InitializeThunk
String ID: D`a&$NMNO$bX_^
API String ID: 2994545307-620122162
Opcode ID: 5f04923772e7a5e14dc9647574d9b0013f619a4c840af16d2928854263192260
Instruction ID: bc2a1c102062ce8b05fe6a70aa76c7712f52e537387dc3c892759fd66e79c820
Opcode Fuzzy Hash: 5f04923772e7a5e14dc9647574d9b0013f619a4c840af16d2928854263192260
Instruction Fuzzy Hash: C18158312083058FD32ADF25DC8166BB7A6EBC5324F2AC62CE5A94B391DB36DD09C751

Function 0034825B Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

gfff, xrefs: 003483EA
7, xrefs: 003483A3
), xrefs: 0034837A

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: )$7$gfff
API String ID: 0-3859371245
Opcode ID: 4c0947969e679c0df5af6d3e781dcefc926444e353f4b9bde4decd35fb34ee07
Instruction ID: 0561eebdcb697b6a7fd0304ab8074dbeda0178d07adf5cd8a7e78fc629bb4a69
Opcode Fuzzy Hash: 4c0947969e679c0df5af6d3e781dcefc926444e353f4b9bde4decd35fb34ee07
Instruction Fuzzy Hash: 33814572A142118BD329CF28CC417AF77D6EBC8314F19C92DE585DB395EB78E9068B81

Function 00357133 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

FOOE, xrefs: 00357307
KGFU, xrefs: 00357315
UUQg, xrefs: 00357323

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: FOOE$KGFU$UUQg
API String ID: 0-2281124432
Opcode ID: c87334b0cc75eeea357b534c3f1b1ded0e6aa98abb64489a321f9aea125428b8
Instruction ID: 04eb7230e069a0f3467080310ce5fdfa3057149f077b3f483e9c3e3e556915be
Opcode Fuzzy Hash: c87334b0cc75eeea357b534c3f1b1ded0e6aa98abb64489a321f9aea125428b8
Instruction Fuzzy Hash: D061EF72A082528FD721CFA8C8406EAF7A2EF55321F1E4665DC158B3A2E334DD0AD3D1

Function 0034AF24 Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

t]ae, xrefs: 0034B081
5230, xrefs: 0034AFC1
I`af, xrefs: 0034B038

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 5230$I`af$t]ae
API String ID: 0-812676372
Opcode ID: 6b6a1057d7f9c7035813d26f4bbf6d4d5f8a68a71ab0e522306e073e428af7f8
Instruction ID: 037ce84aa3207ffb73e1ae86bb36d1d072b7e029949a536b8efd33e67fb7748a
Opcode Fuzzy Hash: 6b6a1057d7f9c7035813d26f4bbf6d4d5f8a68a71ab0e522306e073e428af7f8
Instruction Fuzzy Hash: EE514772A55B808FE739CF75CC91763BBE3ABA1304F19896DC1C28B695DAB8A405C700

Function 003D333E Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

`E5, xrefs: 003D33EC
b_g, xrefs: 003D352A
On_y, xrefs: 003D3475

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: On_y$`E5$b_g
API String ID: 0-670224720
Opcode ID: bac0bc0009b5945e06284197e7bf8fa3e7db4ff08bb9355417d4ebf68a5b2b78
Instruction ID: 96d4697d749a466642d1702e38888ea82d8f1b58514c61460c183a46cef2cf70
Opcode Fuzzy Hash: bac0bc0009b5945e06284197e7bf8fa3e7db4ff08bb9355417d4ebf68a5b2b78
Instruction Fuzzy Hash: A85137F3A053108BE3046E3CDD9576AB7D6EB94720F1A0A3EDAC493788ED35590487CA

Function 0034DAD0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

5230, xrefs: 0034DB20
1, xrefs: 0034DBA3
A, xrefs: 0034DC18

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 1$5230$A
API String ID: 0-2921844354
Opcode ID: 0067cf403779e33a526d2907bfd9db47e032ff0337b74ebe1d56a031e51b1cb0
Instruction ID: d51107a5b4029e4485474c9ad418ebf8f4b891de617beabd5211d31d64b35fb5
Opcode Fuzzy Hash: 0067cf403779e33a526d2907bfd9db47e032ff0337b74ebe1d56a031e51b1cb0
Instruction Fuzzy Hash: 2941683265C3405AE325AE75DC8276BB6E3EBD1724F19C93DF1D99B2C5E9B848028312

Function 00344C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON

Download Yara Rule

Strings

U4, xrefs: 003455D4
NP,?, xrefs: 00345070

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: NP,?$U4
API String ID: 0-3104818612
Opcode ID: 22859e02a4083780a56543b0d6de965bcb5959b5dca2f990360f10227016086e
Instruction ID: 865cc2de7405abf8449b2e53d6a613aa64c45709c6c333c1e837a88463c27b77
Opcode Fuzzy Hash: 22859e02a4083780a56543b0d6de965bcb5959b5dca2f990360f10227016086e
Instruction Fuzzy Hash: 08524675A18300DBD726DF29DC8172B73E6EB85324F15852CF5898B2E2E735AD41C781

Function 0034F6D0 Relevance: 3.3, Strings: 2, Instructions: 817COMMON

Download Yara Rule

Strings

5, xrefs: 00350058
95, xrefs: 003501A0

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 95$5
API String ID: 0-494074898
Opcode ID: 5ea37d69a3100a37da411951250c41c2f6dc5c4bbcee7cef048827a7c69ade85
Instruction ID: ab710a5b5f15014f17e2d2f38cabce54667cfa429fcb9c8885ff4c77145f322c
Opcode Fuzzy Hash: 5ea37d69a3100a37da411951250c41c2f6dc5c4bbcee7cef048827a7c69ade85
Instruction Fuzzy Hash: 7572D1B1618B808FD3768F3C8805797BFD6AB5A324F188B5DA0FA877D2C77560018756

Function 0035B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

{wBy, xrefs: 0035B538
?;;, xrefs: 0035B3AA

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: {wBy$?;;
API String ID: 0-3800777323
Opcode ID: c2ce920f00a51c9aea5fb3ad305b03d67d63e80e76e2a5b34d9aa2aef3002d27
Instruction ID: 0d4622a786ce1a8c39b4393a125f9013eb417622714f8edc0d6fc834485ff70d
Opcode Fuzzy Hash: c2ce920f00a51c9aea5fb3ad305b03d67d63e80e76e2a5b34d9aa2aef3002d27
Instruction Fuzzy Hash: 23F1357050C340DFD3269F28D891B2AB7E5BF85315F058A6DF8D98B2A2D335D949CB12

Function 00361E8E Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

nz, xrefs: 00362051
nz, xrefs: 0036204A

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: nz$nz
API String ID: 0-4002586851
Opcode ID: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction ID: 7a5819b564ab6452a8f34b8ae4c2bac3c3e962db3e9b29a1fd8ab6fa2c52049a
Opcode Fuzzy Hash: 657b8ad3b5a701e97fdb508390c6d00fb43f0f4f68eec0077ab5ee9a3c7d2eea
Instruction Fuzzy Hash: 38E10672608B808FD3158B3CC891396BFE2AFDA314F1DC66DC5EA8B396D675A406C711

Function 00357490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

yr, xrefs: 003575CE
o~, xrefs: 003575E6

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: 25461eced12ac3aaaa5cd3fece7541b19e41618dbaf2cbbb488519ba86bd5b45
Instruction ID: a2fac7084a7e8e5d31a4b3281a177687f96762051913585d0e54ec0068cf01b7
Opcode Fuzzy Hash: 25461eced12ac3aaaa5cd3fece7541b19e41618dbaf2cbbb488519ba86bd5b45
Instruction Fuzzy Hash: 1391397590C3108BD321DF19D845A6BBBE2EFD1314F0A892CE9D95B3A1E7B4C909C786

Function 00358280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 00358375
:7$%, xrefs: 003582F6, 003582C5

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: 5aa382e2eafa7daa34e5b8ffa9ee0294ffef4a41c4350cb05d909f14f4208179
Instruction ID: 13d4c57462016c7f02469792b918aca55314d9ad219e0bcfd67499a685c63413
Opcode Fuzzy Hash: 5aa382e2eafa7daa34e5b8ffa9ee0294ffef4a41c4350cb05d909f14f4208179
Instruction Fuzzy Hash: E321D0711083808BD7089B79C965B6FFBE5BB82318F105A2CE1D28B291DBB48409CB82

Function 0037042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

7&'$, xrefs: 00370445
vAO, xrefs: 0037049C

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 7&'$$vAO
API String ID: 0-411188015
Opcode ID: 20e97c6a40b7297fb6e554a07cb3985a1cc13fe2b3f2dea69faaa6f8b546eb0a
Instruction ID: beb530ee5d9ae20f1d2afe3928c451225192ae019001decafc3130c024bd74c7
Opcode Fuzzy Hash: 20e97c6a40b7297fb6e554a07cb3985a1cc13fe2b3f2dea69faaa6f8b546eb0a
Instruction Fuzzy Hash: 99F068305145448BDBA68F3D9C996BE67F0E713324F202AB8C66EE32A2C63488818E04

Function 0034194F Relevance: 2.2, APIs: 1, Instructions: 666COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00341D64

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 95ba3648b79d1f617725a715397c8e75580ffb430a4a5e6e0aa0f8c3d513e4fe
Instruction ID: aade4d2a117051130a8df4b7c88a614aaaaea6c8ee884c59945b7c4814a12f0e
Opcode Fuzzy Hash: 95ba3648b79d1f617725a715397c8e75580ffb430a4a5e6e0aa0f8c3d513e4fe
Instruction Fuzzy Hash: 8C42F7B5A04B408FD716DF38C881366BBE1AF95314F198A2DD4AB8F792D635F446C702

Function 0036CD27 Relevance: 2.0, Strings: 1, Instructions: 747COMMON

Download Yara Rule

Strings

/p, xrefs: 0036D2AD

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: /p
API String ID: 0-62938030
Opcode ID: 7be8b90910bc1ea24976a886d341829647a290e99af096ed471cc46c5f2458df
Instruction ID: 8aea08af4e891672f270bb00c8e8eb373204a1e0a4f607a599e1d1f6383f6db4
Opcode Fuzzy Hash: 7be8b90910bc1ea24976a886d341829647a290e99af096ed471cc46c5f2458df
Instruction Fuzzy Hash: FB32103AA28351CBD7149F39D81136BB3F1FF99320F1A886DD4C587291E7798984C782

Function 00362426 Relevance: 1.7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

Strings

J, xrefs: 0036249F

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: 8a22e0383a0f93250f8fc4150633f3f0df37e5a43d95c4e9e0289789aa120a48
Instruction ID: ea18f35475c8e15aefbc45c61dbeca6a99dd4c59c46ce1b97726ef816bc2ead5
Opcode Fuzzy Hash: 8a22e0383a0f93250f8fc4150633f3f0df37e5a43d95c4e9e0289789aa120a48
Instruction Fuzzy Hash: 48127C71619AC18FE3158B38C991392BFE1AB66304F1CC9ADC4EACB387D63AD5068751

Function 00352380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 003523AC

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 71a758dd9b7ace3e7a1e9646c862eb274ceee6512b9855e6ef9b5de6ffde344f
Instruction ID: c32f8b6ceace4416a033694df261ce872df194fad341364d7ae2d3dc2e05d5ec
Opcode Fuzzy Hash: 71a758dd9b7ace3e7a1e9646c862eb274ceee6512b9855e6ef9b5de6ffde344f
Instruction Fuzzy Hash: 7BA10771A043109BD7229F24DC82B6BB3E4EF82365F19852CFC959B2A1F378DD098752

Function 0036C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0036C7C0

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: e4d48f99763ebbc52e8f8409ff7ab252ec6142534ceb4724d3acfe7fb8131d03
Instruction ID: 0706092868f27a0b1323e3225bdc30c5fc4184a0097856e743fe068bcb374350
Opcode Fuzzy Hash: e4d48f99763ebbc52e8f8409ff7ab252ec6142534ceb4724d3acfe7fb8131d03
Instruction Fuzzy Hash: 75A16976B283109FD336CE29C88163BB3A6EBC5324F19E62CE5D957299D731EC018791

Function 00375620 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00375655

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: 0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2906481384
Opcode ID: 1e6157da3a3c0566d0107cb64caecf0a488f2696d502d4f0dc26d046e996b51e
Instruction ID: 06da087684a387b486bbee238eb0aa81ca6633369a20245ed984b49566493e06
Opcode Fuzzy Hash: 1e6157da3a3c0566d0107cb64caecf0a488f2696d502d4f0dc26d046e996b51e
Instruction Fuzzy Hash: BEC1B2B54693E1AFDB979F3084912A37FA0EF4B71935661EEC9C38E423C1219443DB82

Function 0034BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0034C360, 0034C364

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 642a28a8afd1f23768c05ebcd7e72ffff525fef1718c184b5989487dfed6fa46
Instruction ID: 7437ffa7f4dc554015cf2adb39347267457c7c42e8a19470f3ec43bddec0ce28
Opcode Fuzzy Hash: 642a28a8afd1f23768c05ebcd7e72ffff525fef1718c184b5989487dfed6fa46
Instruction Fuzzy Hash: F19144B56293108BC314CF28C89126BB7E2EFD5364F19E92CE8D68B391E774D904C792

Function 00346ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00347069

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 881269f4c1cb48c4bcd971a48517dfa1b5a90f3f6131f833a075466e9997b4b3
Instruction ID: 405188f591c8b5e4df0c35c7870e39f128def434e9b61ac441a6fa32273cc2eb
Opcode Fuzzy Hash: 881269f4c1cb48c4bcd971a48517dfa1b5a90f3f6131f833a075466e9997b4b3
Instruction Fuzzy Hash: 11B196B55093818BD732CF24C8917EBBBE1EF96314F19892CE4C98B290EB745446CB82

Function 0033DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0033E295

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: 73dedff59bf6d74efb645e85c453a5267e426a866f7fdcc4347aa6eb0b6b351d
Instruction ID: f0c5b538af586e20beafc77f7f8661fadc06915efe029e7027dad07338d30484
Opcode Fuzzy Hash: 73dedff59bf6d74efb645e85c453a5267e426a866f7fdcc4347aa6eb0b6b351d
Instruction Fuzzy Hash: 579111B5604B418FD316CF29C9D0662FBA2FF96300B19869CD0D68FB56C778E806CB91

Function 00372470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00372490

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: 3fff97947a69ebef2c11b506a918e8883ecf452c393892d6c35fb510f9601a56
Instruction ID: d2a720336a7454af5bd14a1d8b69cf4cdb52d8788dd190ad59104faeee8609b5
Opcode Fuzzy Hash: 3fff97947a69ebef2c11b506a918e8883ecf452c393892d6c35fb510f9601a56
Instruction Fuzzy Hash: C09107315083518BC72ADF29D85096FB7E2EFDA320F19C52CE4899B292E735E945C782

Function 00357F30 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

, xrefs: 00358074, 00358093, 003580C4

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: b2a2f669f7e7359cf051d328eebfb12211035e57c1545e3a7198870444819680
Instruction ID: 9acaa3e4eff9865728f40b44a1db7881ff219b0f73084f1b7cb4b23e379be23b
Opcode Fuzzy Hash: b2a2f669f7e7359cf051d328eebfb12211035e57c1545e3a7198870444819680
Instruction Fuzzy Hash: B1816A71A087009BD726DB25DC91E2B73A5EFC1325F19852CFC8A5B3A1EB349D0E8791

Function 00336000 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00336169

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction ID: 98e3ff311b5b8ba922216dc65becd209054cd90c51d2c7346afa698ced06ba57
Opcode Fuzzy Hash: cb9d9bb17d339ae8af9f285b74fa207be133779a529036d3e62f497118ea5ea7
Instruction Fuzzy Hash: 5DB1377120C3819FD325CF18C88165BFBE0AFA9304F448A2DF5D997782D271E918CB96

Function 00363930 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 003639CA

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 7306b6f61d8a236e135b88f5f29a15017f7fe42d6b0198f1df07cbfc91289003
Instruction ID: 52e41660c1c68e78102cb628a4258adffce73698c5cff1c4facf7f541f3e6f81
Opcode Fuzzy Hash: 7306b6f61d8a236e135b88f5f29a15017f7fe42d6b0198f1df07cbfc91289003
Instruction Fuzzy Hash: 81814422759AD04BD32E893C4C612BA7E934BD2330F2DC76DB5F68B3E5D6A989058340

Function 003727B0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 003728B7

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: =^"\
API String ID: 0-2152245029
Opcode ID: b854ae6fe308738772b971e81074272904d8a549c1e05c63e3db79a31e26a6b3
Instruction ID: 6bfd24dc32b9042b58d30c8ab54c4e48c50e21c3bbebbf1db428b8556c509ec2
Opcode Fuzzy Hash: b854ae6fe308738772b971e81074272904d8a549c1e05c63e3db79a31e26a6b3
Instruction Fuzzy Hash: 7381A0342042019BC736DF1DD890A6BB3F2EF99710F15856CE9998B3A1EB35EC51CB42

Function 0035D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0035DA2E

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 38a1f64ac6818e039890973217798ec39a81de872633ff6d1ca9c99e283abcc5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: AF71E532A083154BD736CE28C480B1FB7E6ABC5711F1A852DEC949B3A5D335DD4C8786

Function 0034A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0034AA58

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: d2dfc9f7594f9c28f319a1cb7ef0e4ff69b37ad3b528d4ae5542f72c11055c28
Instruction ID: 98577be96f217e3a2a1f415ab10ff9c9fcbca171058efaabe83a71af54aeadec
Opcode Fuzzy Hash: d2dfc9f7594f9c28f319a1cb7ef0e4ff69b37ad3b528d4ae5542f72c11055c28
Instruction Fuzzy Hash: 1A510FB0521B408BC7399F25C8656B3BBF1EF52345B094A5CC5C38BA46E739A908CBA1

Function 004D4B04 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

#]w, xrefs: 004D4BDB

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: #]w
API String ID: 0-795672936
Opcode ID: 631bd5385f396ab061304b0a18497a392c0e5f02eb29c68a69541678c8c0c36b
Instruction ID: d024863d7aa95597cca3f29e9e66d1091e6fc684aa27c2c0afddbc634b94e442
Opcode Fuzzy Hash: 631bd5385f396ab061304b0a18497a392c0e5f02eb29c68a69541678c8c0c36b
Instruction Fuzzy Hash: C161D5F39086004BF3596E28DC9677AB7D2EF94310F1A8A3D9BC5577C4EE3958408687

Function 00370BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}IO, xrefs: 00370CA6

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: }IO
API String ID: 0-1689291356
Opcode ID: 9902922c7f066d828d3f906d54a43c725c4d58f15fbd4d7a5f07fb18498018fb
Instruction ID: ddff061b6c14a5308d1e5150ad2ccf72c39af055fb21e7dde74ec622eb624efa
Opcode Fuzzy Hash: 9902922c7f066d828d3f906d54a43c725c4d58f15fbd4d7a5f07fb18498018fb
Instruction Fuzzy Hash: 913128605546928BDB268F34C8A17B6B7B0FF47310F148759C8C58B685EB78A592CB81

Function 0059A2B1 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

V=, xrefs: 0059A2B5

Memory Dump Source

Source File: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID: V=
API String ID: 0-2985662858
Opcode ID: 9a5bba15ce14b3727c472411e671dd07e7872444ab0dda77ab5937e0fe6f52fb
Instruction ID: ce2cbb35058ccc991a5b009cb9f7267bf88e5726f32a1743494779b3f49ae9bf
Opcode Fuzzy Hash: 9a5bba15ce14b3727c472411e671dd07e7872444ab0dda77ab5937e0fe6f52fb
Instruction Fuzzy Hash: 0B01B5F75196049FE301EE6ADC815BBBBD6EBD4324F26C52ED1C183604D63568068793

Function 00332EF0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c90a1d8484d5c096ecb6a95958601b8fb027ff960121d4cca6678da0432b24e
Instruction ID: 611f4cb01bae734b00e57c0fd01974bf179281d4e3225173393de7cac3180654
Opcode Fuzzy Hash: 1c90a1d8484d5c096ecb6a95958601b8fb027ff960121d4cca6678da0432b24e
Instruction Fuzzy Hash: 1952C0715083458FCB16CF19C0D06AABBE1FF88314F19CA6DE8999B351D739DA49CB81

Function 00336850 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2ae37360c92134274496dfd7c3c05934c3d1c6d5a42d860b037932b1329e8b
Instruction ID: f9134e1b08f49e11a8f014b3505fae83ac531d34644645af78b631cce534b7e3
Opcode Fuzzy Hash: df2ae37360c92134274496dfd7c3c05934c3d1c6d5a42d860b037932b1329e8b
Instruction Fuzzy Hash: 0852F3B0908B84AFEB32CB34C4D53A7BBE1EF51310F15882DD5EB46A82D379A985C715

Function 0036080E Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef3386921be993d93e2bf0b17dcb8ac3fc4f4ec7b73ffe0ae6564bc45e3f2f9
Instruction ID: 2c6977586370dd332cfd684c00a0cb13e3324df959d083438a7cd0109436fe74
Opcode Fuzzy Hash: 5ef3386921be993d93e2bf0b17dcb8ac3fc4f4ec7b73ffe0ae6564bc45e3f2f9
Instruction Fuzzy Hash: AE42C2B0505B809FD315CF39C996793BFE1AB56310F18CA9DE4EE8B386C2399445CB92

Function 00337620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: e8276ab0ee774abc1c0e775e0abd14e45c0bb37cf6e0ee208032b6411217cc0e
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: BB12B172A0C7158BC736DF18D8816ABB3E1FFC4315F198A2DD9C69B385D734A8518B82

Function 00333900 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b02988908b950270003e65056c6b42ac172948f605fa3c376e4955d240f4b5
Instruction ID: ff21bb1c51701dbf3e6180e653b960ab31bf2e2a38113eb75af42035e607f2f3
Opcode Fuzzy Hash: 98b02988908b950270003e65056c6b42ac172948f605fa3c376e4955d240f4b5
Instruction Fuzzy Hash: 91320270915B108FC36ACF29C5D056ABBF1BF45710BA08A2ED6978BE90D736F945CB10

Function 00356C76 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0872030f72c91ec13abd6c5a20bd8998a4067e7b4c23df8d0ee1418ca3068516
Instruction ID: 3fc9e568cb5bc37d6105073d2f6b965f88dc482adf6a0efe8cee8838cf700a92
Opcode Fuzzy Hash: 0872030f72c91ec13abd6c5a20bd8998a4067e7b4c23df8d0ee1418ca3068516
Instruction Fuzzy Hash: 55124775A00216CFCB16CF68C891BAEB7B2FF89301F5981A9C845AB3A1D7359D46CB50

Function 00371B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb4704b738a46db9b31c37a1b2a37353a0c09ea6a632bbaca960ee9321d0736
Instruction ID: 11697414f3ab0c785a3cc0ca2297450f78c116aac90fb48a25ba9d51ecf1cdb6
Opcode Fuzzy Hash: aeb4704b738a46db9b31c37a1b2a37353a0c09ea6a632bbaca960ee9321d0736
Instruction Fuzzy Hash: F3E1EE31618340CFC329CF28D89062BB7E6FBC9315F4A997DE98A87651D738E945CB81

Function 0033E9B0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42522fd3c77bb02aac829da4c3a275ac48b9c56d78aee6f7e0218060aedd6afa
Instruction ID: e39e2c1d3a4c6e5496ae15af3a473000fa452e223555e5b74c6f46bd25a4b386
Opcode Fuzzy Hash: 42522fd3c77bb02aac829da4c3a275ac48b9c56d78aee6f7e0218060aedd6afa
Instruction Fuzzy Hash: AE1229F1914B00AFC361DF39D946797BFE8EB46360F144A2EE5EE87281D73161058BA2

Function 004FCA52 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7575ccbc0be91269490c9afb02cb6ffb234029cd88b8a427e9ab8a628db9f1cd
Instruction ID: 17fda35ec3189ca04c61a109289ce5994c347d4a54aaaf76c898b49f497f7df8
Opcode Fuzzy Hash: 7575ccbc0be91269490c9afb02cb6ffb234029cd88b8a427e9ab8a628db9f1cd
Instruction Fuzzy Hash: A8E1D1F2A0C2049FE708AF29EC5277ABBE5EF94720F16492DE6C583740EA3558108797

Function 00335AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: 588ef4d4b6e395ed34596ac183f4caa0003959a69c5b49dc3804ba38dcfa9af1
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: 2FF1BD35608B418FC725CF29C88066BFBE6AFD8300F08892DF5D587791E675E945CB92

Function 004F6037 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97af3766659f960d515879d3ed75dd8b7463ccfbf1a14906438f96e2ea952152
Instruction ID: 40ad33d07552e03b67d1c720d43b904f5d30cc9562759db22f251a93959415e2
Opcode Fuzzy Hash: 97af3766659f960d515879d3ed75dd8b7463ccfbf1a14906438f96e2ea952152
Instruction Fuzzy Hash: 2ED127F3608200AFE304AE6DEC85B7ABBE9EBD4320F19453DE6C5C3344EA3598158657

Function 00371BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c8f3174aeb2eaadb90a45c42a5591919e3f26127a0ea8fcd28a20be6b743fa
Instruction ID: 11b928c1f3864919ee914e80f1856e8eb78cbb1bfa364165c7f52fb15faef6b4
Opcode Fuzzy Hash: f1c8f3174aeb2eaadb90a45c42a5591919e3f26127a0ea8fcd28a20be6b743fa
Instruction Fuzzy Hash: 51D1CD31618341CFC329CF38D89062BB7E6FB89315F4A997DE88A87651D738E945CB81

Function 00371C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4269c6cd9aab6f9ec4d1e91ed86c9db0020231d35ef440e23c70f448b90be5d7
Instruction ID: 38f06e125489278725a8f14209fe2e5af9220e75e4709c66cbae7ac1a43ff5f8
Opcode Fuzzy Hash: 4269c6cd9aab6f9ec4d1e91ed86c9db0020231d35ef440e23c70f448b90be5d7
Instruction Fuzzy Hash: 58D1BE316183518FC329CF38D89062BB7E2EBC9315F4AD97DE88A87691D738D945CB42

Function 0034D400 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030edafaa16237d674aa9f35ab0ab9a854835e9f4e3c08d9ecbbfa120e59fca0
Instruction ID: e7d49fc3fa045335b0fff361d4f2600469a9b354c013603623fbbe909504863c
Opcode Fuzzy Hash: 030edafaa16237d674aa9f35ab0ab9a854835e9f4e3c08d9ecbbfa120e59fca0
Instruction Fuzzy Hash: 8BC12671508301AFDB229F64DC41B5ABBE2FFD4354F148A2CF8D89B2A1D735A804CB42

Function 00362B24 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction ID: db491cad14b7aacf6aa755e2ca1f2318e260aa1bbd42f8bbbc28f1f52222ed60
Opcode Fuzzy Hash: a42bc307b6df4b8a2997052392abae3ba1b04b865f6d04cebd1ac29fa035a6ac
Instruction Fuzzy Hash: F9F12771605F808FC316CB38C8903A6BFE2AF96314F1DCA6CD5EA8B396D635A805C711

Function 003654C4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59bb616a2f8d178efb5f774da9eaca952fd64584e733b88989328f03303e03f9
Instruction ID: 2c846b310e851f30fc317550dd3e2d0cce98129adbe5a09abecc97d41529c85b
Opcode Fuzzy Hash: 59bb616a2f8d178efb5f774da9eaca952fd64584e733b88989328f03303e03f9
Instruction Fuzzy Hash: D9F19B62625AC18FE3158B3DC811396FFE2AB66304F1CCAAED0D9CB787C12DE5418B55

Function 003421DB Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction ID: 118d981ca45e1ede95633eeef3f0978bcdd7d447c0496a7bdb7b001fa95dc8d7
Opcode Fuzzy Hash: d0704939d3ffdea9ec5931a0f43224e15fa154c614923ed6ac8c930f834d7e03
Instruction Fuzzy Hash: C7C1F6B5A04B408FC7269F38D4D1367BBE1AB56314F18896DE4EB8B782E635A405CB12

Function 0034D0C0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78a6dbb0c251e03527688e5404dfa673e33eabccad3e43d21518f2399c4d8fe
Instruction ID: 32b94978b4745684b4f3a2e5cc9e37261f2b25cc584d9b41954310609099ab34
Opcode Fuzzy Hash: e78a6dbb0c251e03527688e5404dfa673e33eabccad3e43d21518f2399c4d8fe
Instruction Fuzzy Hash: EF9118726082614BC717CE2888916AFBBE1AB95324F19867DECF95F392C234DC05D7D1

Function 003363C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction ID: 65785d478d88db309bff6d1cf65b43a2c4b1c4a8bf3219528a7b3f8b4867cb60
Opcode Fuzzy Hash: 32a6d0b72cf3d2ffc0339e9a321dcc048d2014ea7503e5de902cc41c51ca1703
Instruction Fuzzy Hash: A1C16DB29087419FC371CF28CC96BABB7E1BF85318F08892DD1D9C6242E778A155CB46

Function 00358B67 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2880501d53d9e696638cb18dee1ca19ea27a7ad4a322eb1155864bbaf52c3540
Instruction ID: 819221b329c54fe10bc91bebf2850af094456220cd1b5a9ad52fab560d1eff4c
Opcode Fuzzy Hash: 2880501d53d9e696638cb18dee1ca19ea27a7ad4a322eb1155864bbaf52c3540
Instruction Fuzzy Hash: 08A17A31608391CFD7268F389C5176A77E6BF8A311F09876DE9A9873E1DB709944CB80

Function 00338360 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7f1cd8c447f631ac0fb8206e21f27aa0a856c6d6421e1b1512602f5c4dbf0c
Instruction ID: 5979654fa96cac8557e3a34816dd6811060628808b5193344f9ed06c04fe245d
Opcode Fuzzy Hash: 5b7f1cd8c447f631ac0fb8206e21f27aa0a856c6d6421e1b1512602f5c4dbf0c
Instruction Fuzzy Hash: 61915C31A0C3564BC7129F25C8C025BB7E6AFC2360F19CA68F8D19B3A9EA74DD4487C1

Function 00357070 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124b94184b60a1c045c6732f010ff925627ee0035325ccb77d88953e67465b97
Instruction ID: 1fe860dda8678d06f8e7b5d44dd7cdb098ad2eef53c59c1b7ea3cf776140a0a3
Opcode Fuzzy Hash: 124b94184b60a1c045c6732f010ff925627ee0035325ccb77d88953e67465b97
Instruction Fuzzy Hash: 19915775E04205CFDB1ACF68D890BAEB7B2FF89301F598098D506AB360D735AD55CB40

Function 004749FE Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fee323149ed434b313dccd9320f31fb4221ede46eba6d2e11481540264cce9
Instruction ID: cd49ab9c3d1bf391b0ecf180057cb4695a940a76dd00fef29853403b32b276bc
Opcode Fuzzy Hash: a9fee323149ed434b313dccd9320f31fb4221ede46eba6d2e11481540264cce9
Instruction Fuzzy Hash: 91917DF3F1163647F3544869DC583A265829BA1315F2F82788F5CBB7C6E87E9C0A52C4

Function 0037711E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945c4c73d4e365e2bce37d9486fc68a3460df9538a8f40a2e7c22b18eca2d6e7
Instruction ID: 1d3e4e5671692e47b7160728f34b3f47ac55eb2edb95d526c34078ca2a891420
Opcode Fuzzy Hash: 945c4c73d4e365e2bce37d9486fc68a3460df9538a8f40a2e7c22b18eca2d6e7
Instruction Fuzzy Hash: 81A1CCB291D2C59FD763CF74C8A95457FF0AE2724076888CFC8848B5A7D269E406DB82

Function 003793B4 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362b025420ca375a4e6d5e060bad8efd5377089d51a6848c2e782887629114e5
Instruction ID: 31baa67eb53c32a3ad460b23526a897bb31dab4d5b68b5f076346e707b3961f2
Opcode Fuzzy Hash: 362b025420ca375a4e6d5e060bad8efd5377089d51a6848c2e782887629114e5
Instruction Fuzzy Hash: DBA14ADA86EBD14FD7138B746878286AFB05F2714938B08DFC880DB1D3E549990BC756

Function 00372A60 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcb3847474e8bc35b50831b93979bca43b0a6cfeef500ee7d43cd661992d6f5
Instruction ID: 9868a7e53f7585e886b1691be5c0729dcbc0ceba2442cec6c9bdf63e341b9aa1
Opcode Fuzzy Hash: 9dcb3847474e8bc35b50831b93979bca43b0a6cfeef500ee7d43cd661992d6f5
Instruction Fuzzy Hash: D3819F756042069BC7369F18C890A6BB3E1EF99360F15C52CF9A98B3A1EB35EC51CB41

Function 0036F820 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction ID: de918d4a3f86a089dd2fe00a69c80e23cb4978be86665da038d0dec918843266
Opcode Fuzzy Hash: 2d568270202be8666c6747a97cae15c503a0743d92dee52a571f55b25c44adc8
Instruction Fuzzy Hash: AF81923160C3928FC31ACF28D49062ABBE2AFC5314F19CA7DE4E58B395D635D846CB52

Function 00359ADE Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcc6daf62ee0fe12bed65494a8208dd5871296fee45504ca138a4155bc1fbb3
Instruction ID: 539e3e0bc3ea9e8390a69055113226841315f9a1d5492ef0175a087d72e6ae8c
Opcode Fuzzy Hash: 2dcc6daf62ee0fe12bed65494a8208dd5871296fee45504ca138a4155bc1fbb3
Instruction Fuzzy Hash: D8714BB29047148FD71A8F29D85173FB6D6ABC4301F4A467DEC569F392DB349805C781

Function 0035DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca27546399771ab0c2a79fe1e3498aa8fb32ecf6d5c68e35aae805fc35ac8e88
Instruction ID: 0eb5b5e5ea0df72a717c2d86689e4f834cbad7d0c932d54674bdec69d31efbd8
Opcode Fuzzy Hash: ca27546399771ab0c2a79fe1e3498aa8fb32ecf6d5c68e35aae805fc35ac8e88
Instruction Fuzzy Hash: F17198B410D3D18AE7368F2594997ABBFE1AFA3305F184A9CD4D90F292C735440ACB97

Function 0033CFEC Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d13381a9c63c40da45dc9849f60c7f94887b88d9a255b5768be2b1aa01af705
Instruction ID: 3bd89501b55364a2e1cebf150bf20855c64cfe9215b58237b863db27ef906d4a
Opcode Fuzzy Hash: 6d13381a9c63c40da45dc9849f60c7f94887b88d9a255b5768be2b1aa01af705
Instruction Fuzzy Hash: 9A5159726057008FD32ACF38CCD2656BBA3AFD6314B1D866CC4964B796EB39A406C750

Function 00367B69 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0cfd14d154026d677b7bda8828e23c9bc4dc6a5aa4282a6dcae35b4e0883f6
Instruction ID: e326d59660d39a1e9d988dc65811a63d0d1735102ec8bce8925bd58d66a5a4b9
Opcode Fuzzy Hash: 4f0cfd14d154026d677b7bda8828e23c9bc4dc6a5aa4282a6dcae35b4e0883f6
Instruction Fuzzy Hash: AB91B4B1E042548FCB18CF6CC89179EBBF2AF89314F29829DD855AB391D7759C01CB91

Function 0034DCB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e076e313d6dd0772dd5d2a4655960b4f24d2c862da67e5cf08e276ff2a48e57
Instruction ID: 2f0cfcc11cfa0aea330cca44291a451e9df5c791ce3b1192b7c153ddbcee83a0
Opcode Fuzzy Hash: 6e076e313d6dd0772dd5d2a4655960b4f24d2c862da67e5cf08e276ff2a48e57
Instruction Fuzzy Hash: D7612333B49A804BE33E893D5C512A9BAC74FD6334B2DC77DA5B68F3E4D9A548058340

Function 0034A690 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f13ddb64eb54dc0ae51f409bae6f7a7f13599db804fcfeb2ab2fd387cbc0994
Instruction ID: 5b85f3bc8f3cd33171308dc37b5bf4c84395a2dd9b1263593c95ced468e5d6e2
Opcode Fuzzy Hash: 8f13ddb64eb54dc0ae51f409bae6f7a7f13599db804fcfeb2ab2fd387cbc0994
Instruction Fuzzy Hash: 5D610533BA5C904BD72A893C4C412AA6E974BD733473EC36AE974CF7E5C2669C024391

Function 0035BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 9ecd2fccb1fe769c0b4727c8daa33b4aa2ab3cf314904d71f691dc16deee7c3a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: C961E5316083544BD7269E2DC8C0A2AF7E6AB85331F2A876CECB58B3F5D7709C498745

Function 0034B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b04c781263a6114cd53c4d5ea8186c37858bd75b90d60b7bc2e9605b1751ec
Instruction ID: 90702c4a53c74533b2821c405d563f383da9041ac82aeaecee4222884033d404
Opcode Fuzzy Hash: 08b04c781263a6114cd53c4d5ea8186c37858bd75b90d60b7bc2e9605b1751ec
Instruction Fuzzy Hash: D74127726547414BD32A8A35C862373FBE3ABA3304F1D946DC5D38B656EB39A50B8710

Function 003674AB Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccaee3bd4a1797054f9507e4655356da7a95c4c61639eaf86f8bc0b37ffb450
Instruction ID: 94f98f0a2e8b182c63194ac86360da67473471848feb7b67971528141e95e75f
Opcode Fuzzy Hash: 1ccaee3bd4a1797054f9507e4655356da7a95c4c61639eaf86f8bc0b37ffb450
Instruction Fuzzy Hash: 9871D4B1E046508FC719CF6CC86135ABFF2AB85314F29C2ADD8999F3D2D6758806CB81

Function 0034B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0461e801074659a7fe9fca497d257aa686dc4e945d46141c32893f5e2984a3
Instruction ID: 2fa0625cef9c962e5a52242517b6df1bc1a6a23e475ba7654baca0fa70b9ab88
Opcode Fuzzy Hash: ea0461e801074659a7fe9fca497d257aa686dc4e945d46141c32893f5e2984a3
Instruction Fuzzy Hash: 8D4107766187814BD32A8A35C862373FFE7AFE2304F2D946EC4D34B652D739A50A8350

Function 0033CA62 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128d07beb05576890e5d74fbf8bb76137a9f10cae9c60051493cc190de3c6e84
Instruction ID: 255bd36cf2d819eefbd6273181c487e7c1debc341b91d478a709449f97591fe6
Opcode Fuzzy Hash: 128d07beb05576890e5d74fbf8bb76137a9f10cae9c60051493cc190de3c6e84
Instruction Fuzzy Hash: A251F6766583118BC728CF64C8A266BF7E2FFD8304F19A92DE4C69B390DB749801C785

Function 00365D13 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf964233ba63b373f85578d50aa1305ace8b852fba9c61638e3a09a68d840f6
Instruction ID: 607e06d0ac49530d55d0c1041537f4633ca3bd78b297c9c6018bb92db7dea3e7
Opcode Fuzzy Hash: bcf964233ba63b373f85578d50aa1305ace8b852fba9c61638e3a09a68d840f6
Instruction Fuzzy Hash: 61912B11208BC28ED7268A3C88586557F915B67238F2D87DCE0FA8F7E7C6578107C766

Function 0036443D Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e408f92e598b71fc16f187d5f2ea3b586cdd120a3f83cd2159344f3ec90874db
Instruction ID: 0d0cefd120021d872f193096b4f877738aee55b9a825699ce2d0711251c391fa
Opcode Fuzzy Hash: e408f92e598b71fc16f187d5f2ea3b586cdd120a3f83cd2159344f3ec90874db
Instruction Fuzzy Hash: 67912B11208BC28EC326CA3C88586557F921B67228F2D87DCD0FA8F7E7C7669507C766

Function 0036ACB0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction ID: 9ec2eb0ef80bbf76d514ca2f1fba3f82d401e02e81bd845b936cf556ed49baff
Opcode Fuzzy Hash: bd2c80c23f364ae32a5c5ea9ca16968fea39fdfc7921c6944e5ca5627ebbab6b
Instruction Fuzzy Hash: B6515CB16087548FE314DF29D49435BBBE1BBC4314F158A2DE4E987351E379DA088F92

Function 003718A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf69c099d4c360a60cc08994ccf41a1033824d2444f71d50c32e10ca23ca0e7
Instruction ID: f72b03d58842420bdd6f949e26e1789aa24ce932c7e765d54cf428f0f548b7fe
Opcode Fuzzy Hash: 2bf69c099d4c360a60cc08994ccf41a1033824d2444f71d50c32e10ca23ca0e7
Instruction Fuzzy Hash: 55513536A18211CFC7219F28D89026AB3F5FB8A314F0AC87DD58D57354E338D982DB82

Function 00332210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29747aa2e1ce0585b13d01dcf46c79e2f65ef40cf9f637cc91af5e81c6061eb
Instruction ID: 71fcebd6a53c5f5b1cfcf9bf8178cb0508dad7687ff31f47066503d138216597
Opcode Fuzzy Hash: b29747aa2e1ce0585b13d01dcf46c79e2f65ef40cf9f637cc91af5e81c6061eb
Instruction Fuzzy Hash: B751B1B19047019BD3228F28DC8471BB7A9FB85334F15472CE8A9972E0E734E955CB86

Function 004C5A12 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b20edb636b459ac4e40aebdedb781dd767f47833542bbcef43d785a37937ee1
Instruction ID: 81229ce7a8cd3feabd2336f226d2c99d90616872cbc977cf1631a1459d573dfe
Opcode Fuzzy Hash: 9b20edb636b459ac4e40aebdedb781dd767f47833542bbcef43d785a37937ee1
Instruction Fuzzy Hash: 555127F3A182105BE31C592CEC2577AB7DADBD4320F2E453EA686C73C4EE395C058295

Function 00366610 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f2c417aa986c9afec07c540be1f3334bca009ec4405b585e24290838142644
Instruction ID: b130a719eead03dea25bd6e992984a76875881719f0c3f12170caab83a9cf9d0
Opcode Fuzzy Hash: b3f2c417aa986c9afec07c540be1f3334bca009ec4405b585e24290838142644
Instruction Fuzzy Hash: 975156337599A04BD32E893C5C232A67A9B0BD2338F2DC76EE0B5CB7E9D45988014340

Function 0036CB40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction ID: 1df5c070056e4fbd717ac5985015904ac01df2891f1df464a4439d23f708ed9e
Opcode Fuzzy Hash: aa77b6908eab7f3669129dd6270d874e2da5e3f843f0bb40ad558b4d72932a7f
Instruction Fuzzy Hash: D851D373E259304BD7259D7D8C8126BBA926B86330F2A8339EDB5EB3D4D6349D0143C5

Function 00371FB0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db327a108be2d45c3e088844bdc67d493dac0a8d1458684eb99d6ee2250ae91
Instruction ID: 66bb409fbcd0862647862a4e08156fba7f6cf724fd8c7ef6731c5e92f35fda56
Opcode Fuzzy Hash: 3db327a108be2d45c3e088844bdc67d493dac0a8d1458684eb99d6ee2250ae91
Instruction Fuzzy Hash: 57511130229240DBD3598F38D8A066BB7E2FB85325F89897CD4CA87691D339D85ACB41

Function 00545DA6 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d2d3f5ee1e6c965d1b24c06afe183d4f4ad335f35853b4ea690bd84e0782db
Instruction ID: a0a138347f680779f6a3976b49e10eb3e668c4b67759596d72514fdbf8459958
Opcode Fuzzy Hash: 56d2d3f5ee1e6c965d1b24c06afe183d4f4ad335f35853b4ea690bd84e0782db
Instruction Fuzzy Hash: 124128B350CA00EBD3016E28DC456BABBE5FB90314F264D2ED9C1C7706F63459659683

Function 0036C9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 326308c54be46958c0fe9d1ed9592850b23787ef4dc81a2269c4f050a701769c
Instruction ID: 2f0eaed07e822d0580cdc71c87524698737e0dd9fa6128d31539328f68869e14
Opcode Fuzzy Hash: 326308c54be46958c0fe9d1ed9592850b23787ef4dc81a2269c4f050a701769c
Instruction Fuzzy Hash: AC413471A143046BE3269E64EC81B7BB7A8EF85704F11D42DF9C597251E731EC048B92

Function 0033A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9498a81cdd7c29338ff7c4fc1d7d1797187f00c2e898f870f7ce1764f30be9d5
Instruction ID: 4f2eb24128b7b56ce2ab4e71a59bbf6f3526d546ff61e343b5eabc23d7c8f943
Opcode Fuzzy Hash: 9498a81cdd7c29338ff7c4fc1d7d1797187f00c2e898f870f7ce1764f30be9d5
Instruction Fuzzy Hash: 71413E33F149518BC72C8E68C9D23AAFBA3BB8A310F1E522DC99597755D7789C0147C0

Function 0034B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f764b67762d5c1127c45b9e4df87963a4c445d30bdec049c5594ad37c49cbbe5
Instruction ID: fdab0b0c13e6b21b15da5408364b57f77de64eb3817671d5b21b29dedceec4c2
Opcode Fuzzy Hash: f764b67762d5c1127c45b9e4df87963a4c445d30bdec049c5594ad37c49cbbe5
Instruction Fuzzy Hash: A831C3316047918BDB298F39C4513A7BBF19B5A314F18596DC1D78B782C37AE8468B60

Function 0034AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f46026da75943a4258e76928d320dd8e4bb46439a5f30e4e3994747db984084
Instruction ID: f799dc67d5a8ce18c8b4b9453a3a2f764be6f453825d3d4db0a8e2a253b42844
Opcode Fuzzy Hash: 5f46026da75943a4258e76928d320dd8e4bb46439a5f30e4e3994747db984084
Instruction Fuzzy Hash: A421E470598A829FE7278B3488507B3BBE5EB63309F28189DD5C38F243E765A5098761

Function 00332B20 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a545855e001701b94b23ca96662b582b04d564978527495ee1cf707802fc4392
Instruction ID: 9022bbde27c6b84a7b56e499e51ec47b8de1f7d11ecb7459b784e9289a1ea266
Opcode Fuzzy Hash: a545855e001701b94b23ca96662b582b04d564978527495ee1cf707802fc4392
Instruction Fuzzy Hash: 3121D1342581F10BC72E8E3D98F0477F7949B87312B1A036FEAD283392D614A8949760

Function 00368520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 83de2815854e0354688436b5564d8db2d739438dbbd55f04698d9f99cc4e40a8
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3A11E933A151D40EC3178E3C88405A5BFE30AE7634F19C39AF5B59B2D6DA23CD8A8354

Function 0035BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction ID: c32a3b6622934e9efb038862014e63c8eba293b753eaf5351bd7f5158c733a55
Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction Fuzzy Hash: 75017CF1A0070557DB22AF6498D1F3BF2A8AF81705F19452CFC095B216EBB5EC0AC6A5

Function 0034B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1154c0edd2e59d2c90e1c3908fbc28b72c07edf18633ae857fc4d2e6e8c861
Instruction ID: 076f47662709b16f3458f331555a7ef92f450d54ee57872576d1b9e933044c9b
Opcode Fuzzy Hash: 1a1154c0edd2e59d2c90e1c3908fbc28b72c07edf18633ae857fc4d2e6e8c861
Instruction Fuzzy Hash: 3311E631104B508FD7358F35C824377BBE19B56318F198A5DC1E7876D1DB7AE1098B40

Function 0034B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: 64978ead1ba6e81dc8905fba1022c80a44011b8e45b841b5df0829934c2fa977
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 050171201086828FD7128F2894206A6FBE0EF63314F1996C6D4D58F283C364E945C7A5

Function 0033C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9731c13158ec0409294c8833c40b4ce50f4cc890ff63734be6bdc2da212dfe14
Instruction ID: 201f212532eb2bdfc4059b17913086ec1752e82be91164aca1fcd2e9cfd084b3
Opcode Fuzzy Hash: 9731c13158ec0409294c8833c40b4ce50f4cc890ff63734be6bdc2da212dfe14
Instruction Fuzzy Hash: 8611483029C3808FD7158F64D9D576BBBE19BD2308F245A2CE5C127292D7F58909C7A7

Function 0034B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 8f65d681dfcd659397ebb36456e38534ce1e0b27c5a9002fda96082eeb9d1ed3
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: A1014F205086C28FE7138F2994207A6FFE0EF63314F1996D6D4D59F283C369E945C7A5

Function 0034BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction ID: 0ef0a211d5f9db8464360682118e866bcb6733e61077f6913e4ed0e4899b3260
Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction Fuzzy Hash: 680126605042828FEB128F38D050766FBE0EF63314F1896DAD4D58F283C375D845C7A5

Function 0034AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 0f3d529aeffaf924ab3d5736b9b5156f78bf2f064ff7226d9d65a09d7ef32853
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: 8E016D205082C28FEB138F2994217B6FFE0EF63314F1996D6D4D58F283C3699949C7A5

Function 0033C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c20cf232a8417da441fe6e8629bd1e6a8bd99c4a07ea57f2122949bc7dca248
Instruction ID: afbebcd1cf1fe69f5784ee08f04a2fe83ede2c52a00014c6a0fd3bfad28f917b
Opcode Fuzzy Hash: 6c20cf232a8417da441fe6e8629bd1e6a8bd99c4a07ea57f2122949bc7dca248
Instruction Fuzzy Hash: 3D112B7065C3808FD319CF28DDC076BBBE29BD6314F244A1CD5C517256C6B19949CB66

Function 0036F0E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74150f1a8008392db9212a8f68a783e9d1914f6a5fed5935cdc86e262c8c9869
Instruction ID: eae76996faf51c5db6b3e0c05abff1614f517b11f67ad322bd3803f7831a6377
Opcode Fuzzy Hash: 74150f1a8008392db9212a8f68a783e9d1914f6a5fed5935cdc86e262c8c9869
Instruction Fuzzy Hash: 1FF0D632500204AFD2225B4AFC40C3777ADE7CA778F119328E418521A6A322ED50C7A0

Function 00348672 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5a020339bf0f9414bcb4f6243cb64ac5bfd2c2176f1af427b585d4fc74538b
Instruction ID: d2744848435f04e710e04cca3b5a96818a2ad8d6e296067d119d1d1244164245
Opcode Fuzzy Hash: 5f5a020339bf0f9414bcb4f6243cb64ac5bfd2c2176f1af427b585d4fc74538b
Instruction Fuzzy Hash: BBF05E34560100DEC66BDF2A998447872E9F747321F122459C60AAB0A0DF35B8D1CA0A

Function 00586C40 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3656a92e73d4c64dec66b4012a2a729d95de86c1562a144837d973d876b6865
Instruction ID: 921e7a182a566e3a27be38af8741e49b05d6dd35cffa22d0b2db04f697ce1d70
Opcode Fuzzy Hash: b3656a92e73d4c64dec66b4012a2a729d95de86c1562a144837d973d876b6865
Instruction Fuzzy Hash: 63E0EC1BB5C328AF7354EEF70CD4463D64F77D4AA032BD8395E01A7A14DCE1A90252A1

Function 00339E09 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b3c9c4b9152c862566d38b51687ec54b0ce448e74c591e1f1eb9eafd24f055
Instruction ID: 6e1b88b7f0bf9e29f9cc16b7c5869873a765882d60a2c496bd86b9a29c3a2c11
Opcode Fuzzy Hash: 66b3c9c4b9152c862566d38b51687ec54b0ce448e74c591e1f1eb9eafd24f055
Instruction Fuzzy Hash: 31E09A38910205CFCB26CF48C8A2677B7B0EF0A301F15645ADA86EB360E3389941C7A8

Function 0033CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f67aaf922a865c56489025053e7ed52ca59d2f9c37ceb2286ee3538ae882c92
Instruction ID: 34356a61b4c7ff94e4947cf0e7aa42e68750d9904a84d0d0e4219381e22673f4
Opcode Fuzzy Hash: 9f67aaf922a865c56489025053e7ed52ca59d2f9c37ceb2286ee3538ae882c92
Instruction Fuzzy Hash: 86E09A342097008BC22AEB21D8E243BF3E6AF81304F11B85DA1475FA62CE60BC43DB55

Function 0035B652 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8b54f63153c7c6aed8baa5193ba56511e0993810b7e2ecaa745075ad1b6560
Instruction ID: be7eebd30a2f647b8c2c9594eb90f8ef76f768dfbefdc8505c5037e03589f0c5
Opcode Fuzzy Hash: eb8b54f63153c7c6aed8baa5193ba56511e0993810b7e2ecaa745075ad1b6560
Instruction Fuzzy Hash: 5EE08674A18201CBC6278F06D891935F3A5EF9A302F15645DE84A57534E321EC49C706

Function 0034F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 958a8734cd4359495b520723892fd58ebbf98a0a8ba3dcbb84e298fec3772602
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: CAD0A7755487A10E975ACD3804A0477FBE8E947712B1C18AEE5D1FB105D221EC014698

Function 0033D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271510914.0000000000331000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.1271491239.0000000000330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271546925.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000387000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000050E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.00000000005F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000625000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271563641.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271825907.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271943245.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1271960510.00000000007D9000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_330000_NvOxePa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94bb6c36b6a519d94dd4540e79531e8915d2278ce2f79c7cf3ad2884a4a3e2
Instruction ID: 315867c8db194b1c605c25a28de0caabd5e3eee88809347d2dfd33249f7bb469
Opcode Fuzzy Hash: 4e94bb6c36b6a519d94dd4540e79531e8915d2278ce2f79c7cf3ad2884a4a3e2
Instruction Fuzzy Hash: A6C04C2565C1008B926ACA15AC50532677E9B8A314F14E119840A53665E1209492950D

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NvOxePa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
NvOxePa.exe

Function 0033B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Function 00338880 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Function 0033AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Function 003702C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00370260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 0033AB12 Relevance: 1.5, APIs: 1, Instructions: 20
networkCOMMON

Function 0036EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 0036EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON