Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1530637
MD5:2e9403b66ad1a28806ffb2b17b2f127e
SHA1:0d51ec4158aea1c7b7a8b12b9e09f6936f0e5d0a
SHA256:5a859342214dbeacb5dcbba9e3fa59185ace49e67beb9884f2767901b9a52ce7
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3976 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2E9403B66AD1A28806FFB2B17B2F127E)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["clearancek.site", "bathdoomgaz.store", "spirittunek.store", "licendfilteo.site", "eaglepawnoy.store", "mobbipenju.store", "studennotediw.store", "dissapoiznw.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:24.022283+020020564771Domain Observed Used for C2 Detected192.168.2.6604641.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:23.968108+020020564711Domain Observed Used for C2 Detected192.168.2.6578551.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:24.002516+020020564811Domain Observed Used for C2 Detected192.168.2.6492611.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:23.991670+020020564831Domain Observed Used for C2 Detected192.168.2.6603881.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:24.054441+020020564731Domain Observed Used for C2 Detected192.168.2.6515031.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:23.981077+020020564851Domain Observed Used for C2 Detected192.168.2.6553821.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:24.041252+020020564751Domain Observed Used for C2 Detected192.168.2.6549161.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:24.013344+020020564791Domain Observed Used for C2 Detected192.168.2.6536731.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-10T10:09:25.228304+020028586661Domain Observed Used for C2 Detected192.168.2.649714104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: file.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com:443/profiles/76561199724331900URL Reputation: Label: malware
    Found malware configuration
    Source: file.exe.3976.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "bathdoomgaz.store", "spirittunek.store", "licendfilteo.site", "eaglepawnoy.store", "mobbipenju.store", "studennotediw.store", "dissapoiznw.store"], "Build id": "4SD0y4--legendaryy"}
    Multi AV Scanner detection for domain / URL
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 17%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 18%Perma Link
    Source: mobbipenju.storeVirustotal: Detection: 17%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 17%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 17%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: https://clearancek.site:443/apiVirustotal: Detection: 19%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 18%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 17%Perma Link
    Source: mobbipenju.storeVirustotal: Detection: 17%Perma Link
    Multi AV Scanner detection for submitted file
    Source: file.exeReversingLabs: Detection: 42%
    Source: file.exeVirustotal: Detection: 53%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: licendfilteo.site
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: spirittunek.store
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: bathdoomgaz.store
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: studennotediw.store
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: dissapoiznw.store
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: eaglepawnoy.store
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: mobbipenju.store
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49714 version: TLS 1.2
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E2D110
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E2D110
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh0_2_00E663B8
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E65700
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh0_2_00E699D0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h0_2_00E6695B
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]0_2_00E2FCA0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]0_2_00E30EEC
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_00E66094
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h0_2_00E64040
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]0_2_00E36F91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then dec ebx0_2_00E5F030
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, dword ptr [edx]0_2_00E21000
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_00E4D1E1
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00E342FC
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00E42260
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [esi], ax0_2_00E42260
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00E523E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00E523E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00E523E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov byte ptr [edi], al0_2_00E523E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+30h]0_2_00E523E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+14h]0_2_00E523E0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebp, eax0_2_00E2A300
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh0_2_00E664B8
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_00E4C470
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]0_2_00E61440
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00E3D457
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00E4E40C
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [esp], 00000000h0_2_00E3B410
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]0_2_00E28590
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh0_2_00E67520
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00E36536
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00E49510
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00E4E66A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00E5B650
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]0_2_00E667EF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00E4D7AF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [edi+eax]0_2_00E67710
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00E428E9
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_00E249A0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_00E3D961
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h0_2_00E63920
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00E31ACD
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h0_2_00E64A40
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]0_2_00E25A50
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00E31A3C
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_00E33BE2
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+40h]0_2_00E31BEE
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_00E50B80
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh0_2_00E69B60
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+000006B8h]0_2_00E3DB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h0_2_00E3DB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E69CE0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh0_2_00E69CE0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h0_2_00E4CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E4CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h0_2_00E4CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00E4AC91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [edx], ax0_2_00E4AC91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [eax+esi+02h], 0000h0_2_00E4EC48
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh0_2_00E5FC20
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h0_2_00E47C00
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E68D8A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]0_2_00E4DD29
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh0_2_00E4FD10
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]0_2_00E26EA0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ecx, word ptr [ebp+00h]0_2_00E2BEB0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h0_2_00E36EBF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp+40h]0_2_00E31E93
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00E47E60
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E45E70
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then movzx ebx, word ptr [ecx]0_2_00E4AE57
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov edi, ecx0_2_00E34E2A
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h0_2_00E67FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E67FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_00E65FD6
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp ecx0_2_00E28FD0
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov word ptr [edx], 0000h0_2_00E3FFDF
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]0_2_00E36F91
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp eax0_2_00E49F62
    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov eax, dword ptr [esp]0_2_00E5FF70

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:49261 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:60388 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:60464 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:55382 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:57855 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:53673 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:54916 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:51503 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49714 -> 104.102.49.254:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: clearancek.site
    Source: Malware configuration extractorURLs: bathdoomgaz.store
    Source: Malware configuration extractorURLs: spirittunek.store
    Source: Malware configuration extractorURLs: licendfilteo.site
    Source: Malware configuration extractorURLs: eaglepawnoy.store
    Source: Malware configuration extractorURLs: mobbipenju.store
    Source: Malware configuration extractorURLs: studennotediw.store
    Source: Malware configuration extractorURLs: dissapoiznw.store
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=07baddf35cda2d6eafe42949; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 10 Oct 2024 08:09:25 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: clearancek.site
    Source: global trafficDNS traffic detected: DNS query: mobbipenju.store
    Source: global trafficDNS traffic detected: DNS query: eaglepawnoy.store
    Source: global trafficDNS traffic detected: DNS query: dissapoiznw.store
    Source: global trafficDNS traffic detected: DNS query: studennotediw.store
    Source: global trafficDNS traffic detected: DNS query: bathdoomgaz.store
    Source: global trafficDNS traffic detected: DNS query: spirittunek.store
    Source: global trafficDNS traffic detected: DNS query: licendfilteo.site
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: file.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clearancek.site:443/api
    Source: file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
    Source: file.exe, 00000000.00000002.2199692531.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
    Source: file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
    Source: file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/Microsoft
    Source: file.exe, 00000000.00000002.2199692531.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/P
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: file.exe, 00000000.00000003.2198563646.00000000013FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.00000000013FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199692531.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.00000000013E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: file.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
    Source: file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: file.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: file.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: file.exe, 00000000.00000003.2198358610.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49714 version: TLS 1.2

    System Summary

    barindex
    PE file contains section with special chars
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E302280_2_00E30228
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6A0D00_2_00E6A0D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E640400_2_00E64040
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E320300_2_00E32030
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E210000_2_00E21000
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E271F00_2_00E271F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2E1A00_2_00E2E1A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E251600_2_00E25160
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF61340_2_00FF6134
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF41220_2_00FF4122
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E212F70_2_00E212F7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEF2E40_2_00FEF2E4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E582D00_2_00E582D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E512D00_2_00E512D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0D2990_2_00F0D299
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E523E00_2_00E523E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E213A30_2_00E213A3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2B3A00_2_00E2B3A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2A3000_2_00E2A300
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010862E00_2_010862E0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E564F00_2_00E564F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE94B70_2_00FE94B7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E344870_2_00E34487
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3049B0_2_00E3049B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4C4700_2_00E4C470
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEA4690_2_00FEA469
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3C5F00_2_00E3C5F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E235B00_2_00E235B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E285900_2_00E28590
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E686F00_2_00E686F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F626800_2_00F62680
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2164F0_2_00E2164F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E686520_2_00E68652
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5F6200_2_00E5F620
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4C7F90_2_00F4C7F9
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF778E0_2_00FF778E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5B8C00_2_00E5B8C0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5E8A00_2_00E5E8A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E518600_2_00E51860
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2A8500_2_00E2A850
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FED8450_2_00FED845
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDF9CC0_2_00FDF9CC
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E689A00_2_00E689A0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4098B0_2_00E4098B
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E67AB00_2_00E67AB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E68A800_2_00E68A80
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E64A400_2_00E64A40
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E27BF00_2_00E27BF0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3DB6F0_2_00E3DB6F
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA5B160_2_00EA5B16
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4CCD00_2_00E4CCD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E66CBF0_2_00E66CBF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE0C9C0_2_00EE0C9C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9FC710_2_00F9FC71
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E68C020_2_00E68C02
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEBDFB0_2_00FEBDFB
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E48D620_2_00E48D62
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4DD290_2_00E4DD29
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4FD100_2_00E4FD10
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2BEB00_2_00E2BEB0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E36EBF0_2_00E36EBF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E68E700_2_00E68E70
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED9E400_2_00ED9E40
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4AE570_2_00E4AE57
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F12E4C0_2_00F12E4C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E34E2A0_2_00E34E2A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E67FC00_2_00E67FC0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E28FD00_2_00E28FD0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F69FCF0_2_00F69FCF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2AF100_2_00E2AF10
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E3D300 appears 152 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E2CAA0 appears 48 times
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9994198638613861
    Source: file.exeStatic PE information: Section: myrwdfbd ZLIB complexity 0.994171817414005
    Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
    Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@9/1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E58220 CoCreateInstance,0_2_00E58220
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeReversingLabs: Detection: 42%
    Source: file.exeVirustotal: Detection: 53%
    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
    Source: file.exeStatic file information: File size 1837056 > 1048576
    Source: file.exeStatic PE information: Raw size of myrwdfbd is bigger than: 0x100000 < 0x197000

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;myrwdfbd:EW;ffhyloyn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;myrwdfbd:EW;ffhyloyn:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: file.exeStatic PE information: real checksum: 0x1c199a should be: 0x1cceb2
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: myrwdfbd
    Source: file.exeStatic PE information: section name: ffhyloyn
    Source: file.exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B8108 push 1A59E912h; mov dword ptr [esp], esi0_2_010B81A6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007110 push edi; mov dword ptr [esp], ecx0_2_01007140
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101512C push ebp; mov dword ptr [esp], 2C7B9891h0_2_01015174
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E7004 push 1F086EC6h; mov dword ptr [esp], eax0_2_010E701C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010E7004 push eax; mov dword ptr [esp], esi0_2_010E7046
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108B007 push 699F0DD1h; mov dword ptr [esp], ecx0_2_0108B051
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010C0082 push eax; mov dword ptr [esp], edx0_2_010C0100
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01083094 push 29BBCE16h; mov dword ptr [esp], edi0_2_010830B6
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01083094 push ecx; mov dword ptr [esp], ebx0_2_010830D2
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010940B5 push 3E85BF73h; mov dword ptr [esp], eax0_2_010940C3
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push 178C950Fh; mov dword ptr [esp], esi0_2_00FF6153
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push ebp; mov dword ptr [esp], 375AEFDDh0_2_00FF6187
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push esi; mov dword ptr [esp], 52B35691h0_2_00FF61FE
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edx; mov dword ptr [esp], esi0_2_00FF6232
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edi; mov dword ptr [esp], 0C08CD52h0_2_00FF62A7
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push 1FDED7B1h; mov dword ptr [esp], ebp0_2_00FF62D8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push 2F0AF355h; mov dword ptr [esp], edx0_2_00FF6361
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push ebx; mov dword ptr [esp], 0838056Dh0_2_00FF641A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edi; mov dword ptr [esp], ebx0_2_00FF6499
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push esi; mov dword ptr [esp], 33870317h0_2_00FF6543
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edi; mov dword ptr [esp], ebp0_2_00FF6556
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push 298FD596h; mov dword ptr [esp], edx0_2_00FF6584
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edi; mov dword ptr [esp], 3EE25649h0_2_00FF658A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push ecx; mov dword ptr [esp], eax0_2_00FF660E
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push ebp; mov dword ptr [esp], ecx0_2_00FF6733
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edi; mov dword ptr [esp], ecx0_2_00FF6796
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edi; mov dword ptr [esp], eax0_2_00FF682A
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push ecx; mov dword ptr [esp], 00000000h0_2_00FF68BC
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push ecx; mov dword ptr [esp], esi0_2_00FF68D1
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push eax; mov dword ptr [esp], 772CF879h0_2_00FF68FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6134 push edi; mov dword ptr [esp], esi0_2_00FF69B2
    Source: file.exeStatic PE information: section name: entropy: 7.977788906964668
    Source: file.exeStatic PE information: section name: myrwdfbd entropy: 7.954107801561127

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE0FA second address: FFE0FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD10E second address: FFD12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007FCE98C42BDBh 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FCE98C42BD6h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD12C second address: FFD132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD278 second address: FFD27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD27E second address: FFD2CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCE98BEC844h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007FCE98BEC83Eh 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 popad 0x00000016 jc 00007FCE98BEC86Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCE98BEC843h 0x00000023 jg 00007FCE98BEC836h 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD2CC second address: FFD2D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD2D6 second address: FFD2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD6C9 second address: FFD6DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FCE98C42BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007FCE98C42BD6h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFD6DF second address: FFD6E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100161F second address: 1001623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001623 second address: 100168D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007FCE98BEC842h 0x0000000d ja 00007FCE98BEC83Ch 0x00000013 nop 0x00000014 push 00000000h 0x00000016 jmp 00007FCE98BEC849h 0x0000001b call 00007FCE98BEC839h 0x00000020 pushad 0x00000021 jnp 00007FCE98BEC83Ch 0x00000027 jns 00007FCE98BEC836h 0x0000002d jo 00007FCE98BEC838h 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCE98BEC842h 0x0000003f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100168D second address: 10016B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FCE98C42BD6h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10016B1 second address: 10016D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC846h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10016D8 second address: 10016DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10016DE second address: 10016E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10016E2 second address: 10016F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007FCE98C42BD6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10016F8 second address: 1001730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC847h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007FCE98BEC845h 0x00000015 pop esi 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001730 second address: 10017D5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCE98C42BDCh 0x00000008 jl 00007FCE98C42BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push edi 0x00000012 jmp 00007FCE98C42BDAh 0x00000017 pop edx 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FCE98C42BD8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 jmp 00007FCE98C42BE1h 0x00000039 sbb edx, 66504902h 0x0000003f push 00000000h 0x00000041 jmp 00007FCE98C42BE3h 0x00000046 push 00000003h 0x00000048 mov edi, eax 0x0000004a call 00007FCE98C42BD9h 0x0000004f push eax 0x00000050 jmp 00007FCE98C42BDCh 0x00000055 pop eax 0x00000056 push eax 0x00000057 jnc 00007FCE98C42BF6h 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FCE98C42BE8h 0x00000064 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10017D5 second address: 1001848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 mov eax, dword ptr [eax] 0x00000012 jne 00007FCE98BEC840h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c js 00007FCE98BEC84Fh 0x00000022 pop eax 0x00000023 mov esi, dword ptr [ebp+122D1BB3h] 0x00000029 lea ebx, dword ptr [ebp+124513C0h] 0x0000002f pushad 0x00000030 stc 0x00000031 xor dword ptr [ebp+122D1B3Ch], eax 0x00000037 popad 0x00000038 mov dword ptr [ebp+122D1AE1h], edi 0x0000003e xchg eax, ebx 0x0000003f pushad 0x00000040 push ebx 0x00000041 push esi 0x00000042 pop esi 0x00000043 pop ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FCE98BEC83Ah 0x0000004b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FED32B second address: FED32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F1EA second address: 101F1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F1F0 second address: 101F1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F34F second address: 101F357 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F357 second address: 101F363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCE98C42BD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F363 second address: 101F367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F367 second address: 101F37A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE98C42BD6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F606 second address: 101F616 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F616 second address: 101F620 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCE98C42BE2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F620 second address: 101F626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F626 second address: 101F62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F62F second address: 101F641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jl 00007FCE98BEC83Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F641 second address: 101F661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007FCE98C42BD6h 0x0000000c jmp 00007FCE98C42BE4h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101F661 second address: 101F689 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FCE98BEC843h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101FC6E second address: 101FC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FCE98C42BE1h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101FC89 second address: 101FCA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC848h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101FCA5 second address: 101FCC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCE98C42BE4h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5771 second address: FF5793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE98BEC842h 0x00000009 jmp 00007FCE98BEC83Ch 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020564 second address: 1020569 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020CC9 second address: 1020CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020CD1 second address: 1020CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020CD5 second address: 1020CEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCE98BEC83Ah 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020CEB second address: 1020CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020CEF second address: 1020CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021263 second address: 1021267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021267 second address: 1021270 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102661C second address: 1026622 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026856 second address: 102685A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102685A second address: 1026865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB90D second address: FEB927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FCE98BEC83Ah 0x0000000a pop edx 0x0000000b jc 00007FCE98BEC852h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB927 second address: FEB935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BDAh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEB935 second address: FEB939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CE0D second address: 102CE15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C675 second address: 102C67F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102CC93 second address: 102CCD2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCE98C42BEEh 0x00000008 jmp 00007FCE98C42BE8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 pushad 0x00000015 jmp 00007FCE98C42BDFh 0x0000001a jo 00007FCE98C42BD6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E1FD second address: 102E202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E202 second address: 102E218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE98C42BE2h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E3CD second address: 102E3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E3D1 second address: 102E3D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E3D7 second address: 102E3FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC847h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FCE98BEC838h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E5CC second address: 102E5D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E5D2 second address: 102E5D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E5D8 second address: 102E5DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E5DC second address: 102E5E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E78E second address: 102E792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9B3 second address: 102E9C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 jnc 00007FCE98BEC83Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F2D4 second address: 102F2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F3D0 second address: 102F3D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F47D second address: 102F486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FAB8 second address: 102FACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007FCE98BEC836h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FCE98BEC838h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FACF second address: 102FB51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FCE98C42BE8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f jmp 00007FCE98C42BE8h 0x00000014 popad 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FCE98C42BD8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007FCE98C42BD8h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d clc 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 push edi 0x00000052 push ecx 0x00000053 pop ecx 0x00000054 pop edi 0x00000055 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10304BE second address: 10304D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE98BEC83Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032164 second address: 10321B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jc 00007FCE98C42BD6h 0x0000000b js 00007FCE98C42BD6h 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 or dword ptr [ebp+1245A0C5h], edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FCE98C42BD8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov edi, ebx 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FCE98C42BE1h 0x00000042 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1031E8E second address: 1031E9A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10338C4 second address: 10338CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037951 second address: 1037960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE98BEC83Bh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037960 second address: 1037964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037964 second address: 1037972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037EC4 second address: 1037EE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FCE98C42BD6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FCE98C42BDCh 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037F78 second address: 1037F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FCE98BEC836h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038F11 second address: 1038F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jns 00007FCE98C42BD6h 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f jbe 00007FCE98C42BEEh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FCE98C42BDCh 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038F34 second address: 1038F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A001 second address: 103A006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1039128 second address: 1039138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007FCE98BEC83Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AF9D second address: 103AFA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103AFA1 second address: 103AFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B18A second address: 103B194 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCE98C42BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C2A8 second address: 103C381 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC844h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FCE98BEC848h 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FCE98BEC843h 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+1245A14Bh] 0x0000001c push dword ptr fs:[00000000h] 0x00000023 call 00007FCE98BEC841h 0x00000028 add edi, 6436D91Ch 0x0000002e pop edi 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007FCE98BEC838h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 mov edi, 4EBB2A62h 0x00000055 mov ebx, dword ptr [ebp+122D3028h] 0x0000005b mov eax, dword ptr [ebp+122D1111h] 0x00000061 push 00000000h 0x00000063 push edx 0x00000064 call 00007FCE98BEC838h 0x00000069 pop edx 0x0000006a mov dword ptr [esp+04h], edx 0x0000006e add dword ptr [esp+04h], 0000001Bh 0x00000076 inc edx 0x00000077 push edx 0x00000078 ret 0x00000079 pop edx 0x0000007a ret 0x0000007b push FFFFFFFFh 0x0000007d sbb ebx, 40AA0806h 0x00000083 push eax 0x00000084 push eax 0x00000085 pushad 0x00000086 pushad 0x00000087 popad 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B194 second address: 103B262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FCE98C42BD8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 jmp 00007FCE98C42BE7h 0x00000028 clc 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007FCE98C42BD8h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D1B2Ch], eax 0x00000050 mov dword ptr fs:[00000000h], esp 0x00000057 call 00007FCE98C42BE4h 0x0000005c pop edi 0x0000005d movzx edi, bx 0x00000060 mov eax, dword ptr [ebp+122D0C51h] 0x00000066 jmp 00007FCE98C42BE5h 0x0000006b push FFFFFFFFh 0x0000006d mov dword ptr [ebp+122D2B19h], edx 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007FCE98C42BE8h 0x0000007b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E3AB second address: 103E3BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE98BEC83Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B262 second address: 103B270 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D473 second address: 103D477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F4A0 second address: 103F4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F582 second address: 103F60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 jmp 00007FCE98BEC83Ah 0x0000000b pop ecx 0x0000000c popad 0x0000000d nop 0x0000000e mov ebx, dword ptr [ebp+12471BE9h] 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FCE98BEC838h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov di, 1980h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 add ebx, 236C1BDDh 0x00000046 mov eax, dword ptr [ebp+122D0EE1h] 0x0000004c mov ebx, dword ptr [ebp+122D19C6h] 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push edi 0x00000057 call 00007FCE98BEC838h 0x0000005c pop edi 0x0000005d mov dword ptr [esp+04h], edi 0x00000061 add dword ptr [esp+04h], 0000001Dh 0x00000069 inc edi 0x0000006a push edi 0x0000006b ret 0x0000006c pop edi 0x0000006d ret 0x0000006e mov ebx, dword ptr [ebp+122D35C1h] 0x00000074 nop 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F60E second address: 103F617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10442AB second address: 10442BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FCE98BEC83Dh 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043508 second address: 104350D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10453E6 second address: 10453EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10453EE second address: 10453F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10453F2 second address: 10453F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104732F second address: 1047335 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10453F6 second address: 104549B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007FCE98BEC845h 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 mov ebx, dword ptr [ebp+1245EDDCh] 0x0000001e mov bx, dx 0x00000021 push dword ptr fs:[00000000h] 0x00000028 sub dword ptr [ebp+122D1B6Fh], edx 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 xor edi, dword ptr [ebp+122D3561h] 0x0000003b jmp 00007FCE98BEC83Eh 0x00000040 mov eax, dword ptr [ebp+122D06C5h] 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007FCE98BEC838h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000019h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 push FFFFFFFFh 0x00000062 mov dword ptr [ebp+122D1A04h], edx 0x00000068 or di, 6EBAh 0x0000006d nop 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007FCE98BEC844h 0x00000076 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104549B second address: 104549F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104549F second address: 10454A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10454A9 second address: 10454D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCE98C42BDEh 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10454D4 second address: 10454E6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FCE98BEC836h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10454E6 second address: 10454EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10474AC second address: 10474C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC842h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B22F second address: 104B233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104B233 second address: 104B259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007FCE98BEC858h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCE98BEC846h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FB3A second address: 104FB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE3h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CE44 second address: 105CE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FCE98BEC842h 0x0000000b jmp 00007FCE98BEC83Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C156 second address: 105C15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C15A second address: 105C162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C162 second address: 105C173 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCE98C42BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C450 second address: 105C458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C458 second address: 105C469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCE98C42BD6h 0x0000000a jc 00007FCE98C42BD6h 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C469 second address: 105C496 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007FCE98BEC836h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c jmp 00007FCE98BEC83Bh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007FCE98BEC840h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C496 second address: 105C4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FCE98C42BD6h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C654 second address: 105C668 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FCE98BEC836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FCE98BEC836h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C668 second address: 105C68F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCE98C42BD6h 0x00000008 jnl 00007FCE98C42BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 jmp 00007FCE98C42BE2h 0x00000019 pop esi 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C68F second address: 105C6AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE98BEC845h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CC8E second address: 105CCA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BDAh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CCA6 second address: 105CCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CCAC second address: 105CCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CCB0 second address: 105CCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CCB4 second address: 105CCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105CCBD second address: 105CCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCE98BEC836h 0x0000000a jns 00007FCE98BEC836h 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10624EF second address: 106250C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FCE98C42BD8h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10611B8 second address: 10611BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061316 second address: 1061321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCE98C42BD6h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061594 second address: 106159A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061719 second address: 106173B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCE98C42BF4h 0x00000008 jmp 00007FCE98C42BE8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106173B second address: 106174F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jc 00007FCE98BEC836h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106174F second address: 1061755 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061755 second address: 1061773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCE98BEC847h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061773 second address: 1061794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FCE98C42BD6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10618B3 second address: 10618BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10618BC second address: 10618C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061A57 second address: 1061A5C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061BB2 second address: 1061BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCE98C42BD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061BC1 second address: 1061BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007FCE98BEC836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061E69 second address: 1061E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061E6D second address: 1061E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061E76 second address: 1061E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061E7C second address: 1061EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FCE98BEC847h 0x0000000e jmp 00007FCE98BEC847h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10172D4 second address: 10172EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCE98C42BD6h 0x0000000a jmp 00007FCE98C42BDAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D2A second address: 1060D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCE98BEC836h 0x00000009 jmp 00007FCE98BEC83Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D3F second address: 1060D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jnl 00007FCE98C42BD6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036046 second address: 1036065 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCE98BEC843h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10363ED second address: 10363F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCE98C42BD6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10364CE second address: 10364D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10364D2 second address: 10364DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10364DC second address: 10364E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10364E0 second address: 10364E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10365CA second address: 10365D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FCE98BEC836h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103690F second address: 103691C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103691C second address: 1036920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036D2F second address: 1036D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036ED1 second address: 1036ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10370FA second address: 1037100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037100 second address: 1037145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FCE98BEC838h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov edx, dword ptr [ebp+122D366Dh] 0x0000002b lea eax, dword ptr [ebp+12485B9Fh] 0x00000031 mov dword ptr [ebp+12471BE9h], esi 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037145 second address: 103714F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCE98C42BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103714F second address: 103718D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edx, dword ptr [ebp+122D3721h] 0x00000013 lea eax, dword ptr [ebp+12485B5Bh] 0x00000019 mov edi, 4FFA490Ah 0x0000001e jmp 00007FCE98BEC83Bh 0x00000023 push eax 0x00000024 pushad 0x00000025 pushad 0x00000026 jmp 00007FCE98BEC840h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103718D second address: 103719A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FCE98C42BDCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103719A second address: 10172D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FCE98BEC838h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 or ecx, dword ptr [ebp+122D364Dh] 0x00000028 call dword ptr [ebp+122D182Bh] 0x0000002e pushad 0x0000002f jp 00007FCE98BEC842h 0x00000035 jg 00007FCE98BEC843h 0x0000003b pushad 0x0000003c jne 00007FCE98BEC836h 0x00000042 jmp 00007FCE98BEC847h 0x00000047 jo 00007FCE98BEC836h 0x0000004d jmp 00007FCE98BEC848h 0x00000052 popad 0x00000053 popad 0x00000054 push esi 0x00000055 push esi 0x00000056 push ebx 0x00000057 pop ebx 0x00000058 pop esi 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065DBF second address: 1065DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FCE98C42BE4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10662F8 second address: 1066346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC843h 0x00000007 jbe 00007FCE98BEC849h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jg 00007FCE98BEC836h 0x00000018 jmp 00007FCE98BEC83Eh 0x0000001d popad 0x0000001e push ebx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 pop ebx 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066346 second address: 106634E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106634E second address: 1066358 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCE98BEC836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066358 second address: 1066366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FCE98C42BDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10667C0 second address: 10667D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FCE98BEC836h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10667D1 second address: 10667D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10667D5 second address: 10667DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10667DB second address: 106680C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FCE98C42BDCh 0x0000000c jno 00007FCE98C42BD6h 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCE98C42BE7h 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106680C second address: 1066810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEEDDB second address: FEEDDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A60C second address: 106A610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A610 second address: 106A616 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D009 second address: 106D00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D00D second address: 106D01D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FCE98C42BD6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF725D second address: FF7261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7261 second address: FF7281 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE98C42BD6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007FCE98C42BDEh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7281 second address: FF7287 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7287 second address: FF7292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070411 second address: 1070433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCE98BEC836h 0x0000000a jno 00007FCE98BEC836h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FCE98BEC83Ch 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070433 second address: 1070442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FCE98C42BD6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10753DD second address: 107540C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCE98BEC836h 0x00000008 jmp 00007FCE98BEC842h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCE98BEC83Eh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10756C5 second address: 10756D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007FCE98C42BD6h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10756D7 second address: 10756E7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCE98BEC836h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075B40 second address: 1075B79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCE98C42BE1h 0x00000010 pushad 0x00000011 ja 00007FCE98C42BD6h 0x00000017 jc 00007FCE98C42BD6h 0x0000001d push edi 0x0000001e pop edi 0x0000001f popad 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075B79 second address: 1075B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007FCE98BEC836h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075056 second address: 107505C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107505C second address: 1075096 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCE98BEC843h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 je 00007FCE98BEC836h 0x00000016 push eax 0x00000017 pop eax 0x00000018 jmp 00007FCE98BEC842h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075096 second address: 107509F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107509F second address: 10750A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10750A3 second address: 10750A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10750A9 second address: 10750C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCE98BEC83Ch 0x0000000e jl 00007FCE98BEC838h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075FDC second address: 1075FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCE98C42BE8h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075FF9 second address: 1076010 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC841h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079F69 second address: 1079F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079F8D second address: 1079F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B7A3 second address: 107B7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DF71 second address: 107DF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DF77 second address: 107DF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107DF83 second address: 107DF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FCE98BEC836h 0x0000000f jns 00007FCE98BEC836h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10830EF second address: 1083109 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FCE98C42BE4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108298E second address: 10829A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC83Bh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082B12 second address: 1082B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 je 00007FCE98C42C07h 0x0000000f pushad 0x00000010 jnl 00007FCE98C42BD6h 0x00000016 jmp 00007FCE98C42BE0h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10856D6 second address: 10856E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FCE98BEC836h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10856E4 second address: 108570D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 je 00007FCE98C42BDEh 0x0000000e pushad 0x0000000f jmp 00007FCE98C42BDAh 0x00000014 jno 00007FCE98C42BD6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108570D second address: 1085718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1085718 second address: 1085734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE8h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B73B second address: 108B746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCE98BEC836h 0x0000000a pop ebx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108B746 second address: 108B768 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f pushad 0x00000010 jmp 00007FCE98C42BE0h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A573 second address: 108A577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A577 second address: 108A57D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A57D second address: 108A597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FCE98BEC83Eh 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A597 second address: 108A5AA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCE98C42BDEh 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036B40 second address: 1036B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036B44 second address: 1036B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036B48 second address: 1036BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FCE98BEC838h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 add dword ptr [ebp+122D1B8Dh], edx 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007FCE98BEC838h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 mov edi, dword ptr [ebp+122D3845h] 0x0000004a nop 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e push edx 0x0000004f pop edx 0x00000050 pop esi 0x00000051 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036BA8 second address: 1036BCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036BCA second address: 1036BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9FED second address: FEA002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092292 second address: 10922A1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push edi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092BD9 second address: 1092BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092BEF second address: 1092BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092BFC second address: 1092C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092EC4 second address: 1092ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092ECA second address: 1092EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007FCE98C42BEDh 0x0000000b jmp 00007FCE98C42BE5h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109379C second address: 10937A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10986BA second address: 10986E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE4h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCE98C42BE3h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098B43 second address: 1098B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCE98BEC846h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098B6B second address: 1098B87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCE98C42BE6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098EA4 second address: 1098EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCE98BEC83Fh 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098EB8 second address: 1098EC2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCE98C42BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098FF2 second address: 1098FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099172 second address: 1099178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109DD71 second address: 109DD76 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7581 second address: 10A7587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7587 second address: 10A758B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A758B second address: 10A759E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jno 00007FCE98C42BD6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A79DC second address: 10A7A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCE98BEC836h 0x0000000a jmp 00007FCE98BEC83Ah 0x0000000f popad 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FCE98BEC83Bh 0x00000019 jno 00007FCE98BEC836h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 push edi 0x00000023 jmp 00007FCE98BEC83Fh 0x00000028 pop edi 0x00000029 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7CE2 second address: 10A7CE8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7CE8 second address: 10A7D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCE98BEC848h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7D06 second address: 10A7D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7D10 second address: 10A7D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8DBF second address: 10A8DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BE0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6CA0 second address: 10A6CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FCE98BEC836h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6CAC second address: 10A6CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF2CD second address: 10AF2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB55A second address: 10BB564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB564 second address: 10BB56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1F2B second address: 10C1F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1F3F second address: 10C1F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1F45 second address: 10C1F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCE98C42BD6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d jmp 00007FCE98C42BE2h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1F64 second address: 10C1F73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jo 00007FCE98BEC836h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1AD7 second address: 10C1ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1ADB second address: 10C1AE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1AE0 second address: 10C1AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D787C second address: 10D788B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCE98BEC836h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D788B second address: 10D78AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCE98C42BE7h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D78AB second address: 10D78AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D78AF second address: 10D78B9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCE98C42BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D63AF second address: 10D63CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCE98BEC846h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D63CF second address: 10D63D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D63D3 second address: 10D63D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D652B second address: 10D6572 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCE98C42BE1h 0x00000008 jno 00007FCE98C42BD6h 0x0000000e popad 0x0000000f push ebx 0x00000010 jmp 00007FCE98C42BDEh 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCE98C42BE6h 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6572 second address: 10D657E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007FCE98BEC836h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D657E second address: 10D658D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCE98C42BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D658D second address: 10D6593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D6839 second address: 10D683E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D69D9 second address: 10D69DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D69DD second address: 10D69FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCE98C42BE1h 0x0000000b push esi 0x0000000c pushad 0x0000000d jg 00007FCE98C42BD6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D69FE second address: 10D6A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAFCD second address: 10DAFD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAFD3 second address: 10DAFE0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAFE0 second address: 10DAFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAFE4 second address: 10DAFF2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAFF2 second address: 10DAFF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E8B20 second address: 10E8B41 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCE98BEC845h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EC17F second address: 10EC183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9717 second address: 10F9721 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9721 second address: 10F9727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9727 second address: 10F972B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F972B second address: 10F9731 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9295 second address: 10F92B1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCE98BEC83Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F92B1 second address: 10F92BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F92BA second address: 10F92C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F92C0 second address: 10F92C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6A69 second address: FE6A82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC845h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111225 second address: 111124D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCE98C42BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FCE98C42BECh 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11113B6 second address: 11113BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11113BC second address: 11113D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BE5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111AD3 second address: 1111AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98BEC83Bh 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111AE3 second address: 1111AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BDAh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111AF2 second address: 1111AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111AF8 second address: 1111B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCE98C42BDAh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f je 00007FCE98C42BDEh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111B1E second address: 1111B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111CFF second address: 1111D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1111D03 second address: 1111D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCE98BEC843h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114B64 second address: 1114B6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114B6A second address: 1114BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FCE98BEC836h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov edx, 11EE0C4Fh 0x00000016 movsx edx, di 0x00000019 push 00000004h 0x0000001b sub edx, 6B893E30h 0x00000021 call 00007FCE98BEC839h 0x00000026 push esi 0x00000027 push edi 0x00000028 jnl 00007FCE98BEC836h 0x0000002e pop edi 0x0000002f pop esi 0x00000030 push eax 0x00000031 jnc 00007FCE98BEC84Bh 0x00000037 jc 00007FCE98BEC845h 0x0000003d mov eax, dword ptr [esp+04h] 0x00000041 jmp 00007FCE98BEC843h 0x00000046 mov eax, dword ptr [eax] 0x00000048 pushad 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114BD7 second address: 1114BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FCE98C42BD6h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114BE4 second address: 1114BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E85 second address: 1114E93 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1114E93 second address: 1114E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11160FF second address: 1116103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1116103 second address: 111611F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCE98BEC836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCE98BEC83Ah 0x00000010 je 00007FCE98BEC836h 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111611F second address: 111613D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111613D second address: 1116143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1117D54 second address: 1117D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11178B5 second address: 11178C6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007FCE98BEC836h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270DF0 second address: 5270DF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270DF4 second address: 5270DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270DFA second address: 5270E2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98C42BDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f jmp 00007FCE98C42BE0h 0x00000014 test ecx, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov di, A610h 0x0000001d mov esi, edi 0x0000001f popad 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270E2E second address: 5270E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270E34 second address: 5270E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270E38 second address: 5270E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FCE98BEC884h 0x0000000e jmp 00007FCE98BEC848h 0x00000013 add eax, ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270E66 second address: 5270E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270E6A second address: 5270E87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCE98BEC849h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270E87 second address: 5270ED5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1FB53932h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax+00000860h] 0x00000013 jmp 00007FCE98C42BDFh 0x00000018 test eax, eax 0x0000001a jmp 00007FCE98C42BE6h 0x0000001f je 00007FCF0A308A74h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FCE98C42BDAh 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270ED5 second address: 5270ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5270ED9 second address: 5270EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10266C2 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1035FD5 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E838CB instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10B1D63 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 5008Thread sleep time: -30000s >= -30000sJump to behavior
    Source: file.exe, file.exe, 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: file.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.000000000138E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: file.exe, 00000000.00000003.2198358610.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199692531.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
    Source: file.exe, 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E65BB0 LdrInitializeThunk,0_2_00E65BB0

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: file.exeString found in binary or memory: licendfilteo.site
    Source: file.exeString found in binary or memory: clearancek.site
    Source: file.exeString found in binary or memory: bathdoomgaz.stor
    Source: file.exeString found in binary or memory: spirittunek.stor
    Source: file.exeString found in binary or memory: dissapoiznw.stor
    Source: file.exeString found in binary or memory: studennotediw.stor
    Source: file.exeString found in binary or memory: mobbipenju.stor
    Source: file.exeString found in binary or memory: eaglepawnoy.stor
    Source: file.exe, file.exe, 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~Program Manager
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Process Injection    		24
    Virtualization/Sandbox Evasion    		OS Credential Dumping631
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory24
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook5
    Obfuscated Files or Information    		NTDS23
    System Information Discovery    		Distributed Component Object ModelInput Capture113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe42%ReversingLabsWin32.Trojan.Generic
    file.exe53%VirustotalBrowse
    file.exe100%AviraTR/Crypt.ZPACK.Gen
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    steamcommunity.com0%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    bathdoomgaz.store18%VirustotalBrowse
    studennotediw.store18%VirustotalBrowse
    spirittunek.store19%VirustotalBrowse
    mobbipenju.store18%VirustotalBrowse
    dissapoiznw.store18%VirustotalBrowse
    clearancek.site18%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://player.vimeo.com0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f0%URL Reputationsafe
    https://help.steampowered.com/en/0%URL Reputationsafe
    https://store.steampowered.com/news/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/0%URL Reputationsafe
    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
    https://recaptcha.net/recaptcha/;0%URL Reputationsafe
    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
    https://store.steampowered.com/stats/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
    https://medal.tv0%URL Reputationsafe
    https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
    https://login.steampowered.com/0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://steam.tv/0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://steamcommunity.com:443/profiles/76561199724331900100%URL Reputationmalware
    https://store.steampowered.com/points/shop/0%URL Reputationsafe
    https://recaptcha.net0%URL Reputationsafe
    https://store.steampowered.com/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
    https://lv.queniujq.cn0%URL Reputationsafe
    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
    https://checkout.steampowered.com/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
    https://help.steampowered.com/0%URL Reputationsafe
    https://api.steampowered.com/0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    https://store.steampowered.com/mobile0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
    https://store.steampowered.com/;0%URL Reputationsafe
    https://store.steampowered.com/about/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp0%VirustotalBrowse
    https://steamcommunity.com/my/wishlist/0%VirustotalBrowse
    https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/0%VirustotalBrowse
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%VirustotalBrowse
    https://steamcommunity.com/market/0%VirustotalBrowse
    https://steamcommunity.com/discussions/0%VirustotalBrowse
    https://steamcommunity.com/?subsection=broadcasts0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=engli0%VirustotalBrowse
    https://www.youtube.com0%VirustotalBrowse
    https://www.google.com0%VirustotalBrowse
    bathdoomgaz.store18%VirustotalBrowse
    https://steamcommunity.com/P0%VirustotalBrowse
    studennotediw.store18%VirustotalBrowse
    https://steamcommunity.com/login/home/?goto=profiles%2F765611997243319000%VirustotalBrowse
    https://clearancek.site:443/api20%VirustotalBrowse
    https://steamcommunity.com/workshop/0%VirustotalBrowse
    clearancek.site18%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU0%VirustotalBrowse
    spirittunek.store19%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf0%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    dissapoiznw.store18%VirustotalBrowse
    mobbipenju.store18%VirustotalBrowse
    http://127.0.0.1:270600%VirustotalBrowse
    https://steamcommunity.com0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a0%VirustotalBrowse
    https://sketchfab.com0%VirustotalBrowse
    https://www.youtube.com/0%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truetrueunknown
    eaglepawnoy.store
    		unknown
    		unknowntrueunknown
    bathdoomgaz.store
    		unknown
    		unknowntrueunknown
    spirittunek.store
    		unknown
    		unknowntrueunknown
    licendfilteo.site
    		unknown
    		unknowntrueunknown
    studennotediw.store
    		unknown
    		unknowntrueunknown
    mobbipenju.store
    		unknown
    		unknowntrueunknown
    clearancek.site
    		unknown
    		unknowntrueunknown
    dissapoiznw.store
    		unknown
    		unknowntrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    bathdoomgaz.storetrueunknown
    studennotediw.storetrueunknown
    clearancek.sitetrueunknown
    dissapoiznw.storetrueunknown
    https://steamcommunity.com/profiles/76561199724331900true
    • URL Reputation: malware
    		unknown
    spirittunek.storetrueunknown
    licendfilteo.sitetrueunknown
    eaglepawnoy.storetrueunknown
    mobbipenju.storetrueunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://steamcommunity.com/my/wishlist/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://player.vimeo.comfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5ffile.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/?subsection=broadcastsfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://help.steampowered.com/en/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://steamcommunity.com/market/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://store.steampowered.com/news/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.gstatic.cn/recaptcha/file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://recaptcha.net/recaptcha/;file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.valvesoftware.com/legal.htmfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/discussions/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://www.youtube.comfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.google.comfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=englifile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://store.steampowered.com/stats/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://medal.tvfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://broadcast.st.dl.eccdnx.comfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/Pfile.exe, 00000000.00000002.2199692531.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.00000000013E1000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://store.steampowered.com/steam_refunds/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackfile.exe, 00000000.00000003.2198358610.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://clearancek.site:443/apifile.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmptrueunknown
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://s.ytimg.com;file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      https://steamcommunity.com/workshop/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalseunknown
      https://login.steampowered.com/file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://steamcommunity.com/Microsoftfile.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://store.steampowered.com/legal/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://steam.tv/file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hffile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://steamcommunity.com:443/profiles/76561199724331900file.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmptrue
        • URL Reputation: malware
        		unknown
        https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aUfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://store.steampowered.com/points/shop/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://recaptcha.netfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://store.steampowered.com/file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://steamcommunity.comfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://sketchfab.comfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://lv.queniujq.cnfile.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://www.youtube.com/file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        http://127.0.0.1:27060file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&afile.exe, 00000000.00000002.2199692531.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://www.google.com/recaptcha/file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://checkout.steampowered.com/file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://help.steampowered.com/file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.steampowered.com/file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://store.steampowered.com/account/cookiepreferences/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199587824.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://store.steampowered.com/mobilefile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://steamcommunity.com/file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCfile.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198300913.0000000001454000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://store.steampowered.com/;file.exe, 00000000.00000003.2198358610.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199777018.0000000001412000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2198358610.0000000001438000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2199835637.0000000001438000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://store.steampowered.com/about/file.exe, 00000000.00000003.2198300913.000000000145A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            104.102.49.254
            		steamcommunity.comUnited States
            		16625AKAMAI-ASUStrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1530637
            Start date and time:2024-10-10 10:08:25 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 2m 42s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:2
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:file.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/0@9/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            04:09:22API Interceptor2x Sleep call for process: file.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
            • www.valvesoftware.com/legal.htm

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            zYlQoif21X.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 23.192.247.89

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            AKAMAI-ASUSna.elfGet hashmaliciousMiraiBrowse
            • 104.113.196.16
            Quarantined Messages(11).zipGet hashmaliciousHTMLPhisherBrowse
            • 2.19.126.151
            https://w7950.app.blinkops.com/Get hashmaliciousUnknownBrowse
            • 2.19.126.219
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            zYlQoif21X.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
            • 104.102.49.254
            na.elfGet hashmaliciousUnknownBrowse
            • 23.40.71.125
            Rechnung0192839182.pdfGet hashmaliciousUnknownBrowse
            • 23.46.224.162
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            zYlQoif21X.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254
            file.exeGet hashmaliciousLummaCBrowse
            • 104.102.49.254

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.949618267243262
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:file.exe
            File size:1'837'056 bytes
            MD5:2e9403b66ad1a28806ffb2b17b2f127e
            SHA1:0d51ec4158aea1c7b7a8b12b9e09f6936f0e5d0a
            SHA256:5a859342214dbeacb5dcbba9e3fa59185ace49e67beb9884f2767901b9a52ce7
            SHA512:86a774c6c3bacf7dfcb27ba91e149231e836a2b0481944ae699545da4e3a38fcfdc912f997cc97c9091231d350684fb261d1042153a8af63b4c42ce2e76382ec
            SSDEEP:49152:0yv72TYRfTP8mlmlwcCCw4GWIeoLGBGEnI+Xx:0yv7wYBTP8X7W4G1e4G8EnB
            TLSH:BD853395FE2D920DDC8E96FB89B286030BB1FF4621FD92935E407BF5855F6048392638
            File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................I...........@...........................I...........@.................................W...k..

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x89b000
            Entrypoint Section:.taggant
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:2eabe9054cad5152567f0699947a2c5b

            Entrypoint Preview

            Instruction
            jmp 00007FCE98E31ADAh

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x5f0570x6b.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f1f80x8.idata
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            0x10000x5d0000x25e00de538e24a775248a74f7fb782d272da3False0.9994198638613861data7.977788906964668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc 0x5e0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .idata 0x5f0000x10000x200fe72def8b74193a84232a780098a7ce0False0.150390625data1.04205214219471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            0x600000x2a30000x2003ffb6ecbd7b0f24db841584fb8d9565dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            myrwdfbd0x3030000x1970000x1970006e26247300a5c3e2d12c1ca184ee0d91False0.994171817414005data7.954107801561127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            ffhyloyn0x49a0000x10000x400750b6e22ee2584f2348404dc6c91e60fFalse0.7734375data6.006048030324118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .taggant0x49b0000x30000x2200ef4a49e9b4f805878b69c90a10d3b0f1False0.060776654411764705DOS executable (COM)0.8011160049639724IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

            Imports

            DLLImport
            kernel32.dlllstrcpy

            Network Behavior

            Suricata IDS Alerts

            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2024-10-10T10:09:23.968108+02002056471ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)1192.168.2.6578551.1.1.153UDP
            2024-10-10T10:09:23.981077+02002056485ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)1192.168.2.6553821.1.1.153UDP
            2024-10-10T10:09:23.991670+02002056483ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)1192.168.2.6603881.1.1.153UDP
            2024-10-10T10:09:24.002516+02002056481ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)1192.168.2.6492611.1.1.153UDP
            2024-10-10T10:09:24.013344+02002056479ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)1192.168.2.6536731.1.1.153UDP
            2024-10-10T10:09:24.022283+02002056477ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)1192.168.2.6604641.1.1.153UDP
            2024-10-10T10:09:24.041252+02002056475ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)1192.168.2.6549161.1.1.153UDP
            2024-10-10T10:09:24.054441+02002056473ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)1192.168.2.6515031.1.1.153UDP
            2024-10-10T10:09:25.228304+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.649714104.102.49.254443TCP

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 10, 2024 10:09:24.080491066 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:24.080524921 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:24.082619905 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:24.083600998 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:24.083614111 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:24.734239101 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:24.734327078 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:24.736844063 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:24.736857891 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:24.737159967 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:24.784209967 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:24.831398964 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.228327036 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.228353024 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.228360891 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.228388071 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.228400946 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.229687929 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:25.229688883 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:25.229701996 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.229851007 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:25.313810110 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.313862085 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.313890934 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.313910961 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:25.314116955 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:25.316534996 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:25.316543102 CEST44349714104.102.49.254192.168.2.6
            Oct 10, 2024 10:09:25.316596985 CEST49714443192.168.2.6104.102.49.254
            Oct 10, 2024 10:09:25.316611052 CEST44349714104.102.49.254192.168.2.6

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 10, 2024 10:09:23.968107939 CEST5785553192.168.2.61.1.1.1
            Oct 10, 2024 10:09:23.976938009 CEST53578551.1.1.1192.168.2.6
            Oct 10, 2024 10:09:23.981076956 CEST5538253192.168.2.61.1.1.1
            Oct 10, 2024 10:09:23.990299940 CEST53553821.1.1.1192.168.2.6
            Oct 10, 2024 10:09:23.991669893 CEST6038853192.168.2.61.1.1.1
            Oct 10, 2024 10:09:24.000525951 CEST53603881.1.1.1192.168.2.6
            Oct 10, 2024 10:09:24.002516031 CEST4926153192.168.2.61.1.1.1
            Oct 10, 2024 10:09:24.011765957 CEST53492611.1.1.1192.168.2.6
            Oct 10, 2024 10:09:24.013344049 CEST5367353192.168.2.61.1.1.1
            Oct 10, 2024 10:09:24.019951105 CEST53536731.1.1.1192.168.2.6
            Oct 10, 2024 10:09:24.022283077 CEST6046453192.168.2.61.1.1.1
            Oct 10, 2024 10:09:24.031582117 CEST53604641.1.1.1192.168.2.6
            Oct 10, 2024 10:09:24.041251898 CEST5491653192.168.2.61.1.1.1
            Oct 10, 2024 10:09:24.051187038 CEST53549161.1.1.1192.168.2.6
            Oct 10, 2024 10:09:24.054440975 CEST5150353192.168.2.61.1.1.1
            Oct 10, 2024 10:09:24.063359976 CEST53515031.1.1.1192.168.2.6
            Oct 10, 2024 10:09:24.068438053 CEST6414953192.168.2.61.1.1.1
            Oct 10, 2024 10:09:24.075349092 CEST53641491.1.1.1192.168.2.6

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Oct 10, 2024 10:09:23.968107939 CEST192.168.2.61.1.1.10xe9a9Standard query (0)clearancek.siteA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:23.981076956 CEST192.168.2.61.1.1.10x6d4dStandard query (0)mobbipenju.storeA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:23.991669893 CEST192.168.2.61.1.1.10xc55dStandard query (0)eaglepawnoy.storeA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.002516031 CEST192.168.2.61.1.1.10xa8e3Standard query (0)dissapoiznw.storeA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.013344049 CEST192.168.2.61.1.1.10xc3c6Standard query (0)studennotediw.storeA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.022283077 CEST192.168.2.61.1.1.10x571fStandard query (0)bathdoomgaz.storeA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.041251898 CEST192.168.2.61.1.1.10x5e4fStandard query (0)spirittunek.storeA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.054440975 CEST192.168.2.61.1.1.10x6e78Standard query (0)licendfilteo.siteA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.068438053 CEST192.168.2.61.1.1.10x2aedStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Oct 10, 2024 10:09:23.976938009 CEST1.1.1.1192.168.2.60xe9a9Name error (3)clearancek.sitenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:23.990299940 CEST1.1.1.1192.168.2.60x6d4dName error (3)mobbipenju.storenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.000525951 CEST1.1.1.1192.168.2.60xc55dName error (3)eaglepawnoy.storenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.011765957 CEST1.1.1.1192.168.2.60xa8e3Name error (3)dissapoiznw.storenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.019951105 CEST1.1.1.1192.168.2.60xc3c6Name error (3)studennotediw.storenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.031582117 CEST1.1.1.1192.168.2.60x571fName error (3)bathdoomgaz.storenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.051187038 CEST1.1.1.1192.168.2.60x5e4fName error (3)spirittunek.storenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.063359976 CEST1.1.1.1192.168.2.60x6e78Name error (3)licendfilteo.sitenonenoneA (IP address)IN (0x0001)false
            Oct 10, 2024 10:09:24.075349092 CEST1.1.1.1192.168.2.60x2aedNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • steamcommunity.com

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.649714104.102.49.2544433976C:\Users\user\Desktop\file.exe
            TimestampBytes transferredDirectionData
            2024-10-10 08:09:24 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
            Host: steamcommunity.com
            2024-10-10 08:09:25 UTC1870INHTTP/1.1 200 OK
            Server: nginx
            Content-Type: text/html; charset=UTF-8
            Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
            Expires: Mon, 26 Jul 1997 05:00:00 GMT
            Cache-Control: no-cache
            Date: Thu, 10 Oct 2024 08:09:25 GMT
            Content-Length: 25489
            Connection: close
            Set-Cookie: sessionid=07baddf35cda2d6eafe42949; Path=/; Secure; SameSite=None
            Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
            2024-10-10 08:09:25 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
            Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
            2024-10-10 08:09:25 UTC10975INData Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61
            Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            System Behavior

            General

            Target ID:0
            Start time:04:09:19
            Start date:10/10/2024
            Path:C:\Users\user\Desktop\file.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\file.exe"
            Imagebase:0xe20000
            File size:1'837'056 bytes
            MD5 hash:2E9403B66AD1A28806FFB2B17B2F127E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:0.9%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:76.7%
              Total number of Nodes:43
              Total number of Limit Nodes:3
              execution_graph 21337 e2d110 21339 e2d119 21337->21339 21338 e2d2ee ExitProcess 21339->21338 21331 e63202 RtlAllocateHeap 21345 e699d0 21346 e699f5 21345->21346 21348 e69a5f 21346->21348 21351 e65bb0 LdrInitializeThunk 21346->21351 21347 e69b0e 21348->21347 21352 e65bb0 LdrInitializeThunk 21348->21352 21351->21348 21352->21347 21353 e2edb5 21355 e2edd0 21353->21355 21357 e2fca0 21355->21357 21360 e2fcdc 21357->21360 21358 e2ef70 21360->21358 21361 e63220 21360->21361 21362 e632a2 RtlFreeHeap 21361->21362 21363 e632ac 21361->21363 21364 e63236 21361->21364 21362->21363 21363->21358 21364->21362 21365 e3049b 21369 e30227 21365->21369 21366 e30455 21367 e65700 2 API calls 21366->21367 21370 e30308 21367->21370 21369->21366 21369->21370 21371 e65700 21369->21371 21372 e65797 21371->21372 21373 e6571b 21371->21373 21376 e65729 21371->21376 21377 e6578c 21371->21377 21375 e63220 RtlFreeHeap 21372->21375 21373->21372 21373->21376 21373->21377 21374 e65776 RtlReAllocateHeap 21374->21377 21375->21377 21376->21374 21377->21366 21378 e6695b 21379 e66965 21378->21379 21379->21379 21380 e66a5e 21379->21380 21382 e65bb0 LdrInitializeThunk 21379->21382 21382->21380 21332 e5d9cb 21333 e5d9fb 21332->21333 21333->21333 21334 e5da65 21333->21334 21336 e65bb0 LdrInitializeThunk 21333->21336 21336->21333 21383 e664b8 21384 e663f2 21383->21384 21385 e6646e 21384->21385 21387 e65bb0 LdrInitializeThunk 21384->21387 21387->21385

              Executed Functions

              Function 00E2FCA0 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 25 e2fca0-e2fcda 26 e2fd0b-e2fe22 25->26 27 e2fcdc-e2fcdf 25->27 29 e2fe24 26->29 30 e2fe5b-e2fe8c 26->30 28 e2fce0-e2fd09 call e32690 27->28 28->26 34 e2fe30-e2fe59 call e32760 29->34 31 e2feb6-e2fec5 call e30b50 30->31 32 e2fe8e-e2fe8f 30->32 40 e2feca-e2fecf 31->40 35 e2fe90-e2feb4 call e32700 32->35 34->30 35->31 43 e2ffe4-e2ffe6 40->43 44 e2fed5-e2fef8 40->44 47 e301b1-e301bb 43->47 45 e2fefa 44->45 46 e2ff2b-e2ff2d 44->46 48 e2ff00-e2ff29 call e327e0 45->48 49 e2ff30-e2ff3a 46->49 48->46 51 e2ff41-e2ff49 49->51 52 e2ff3c-e2ff3f 49->52 53 e301a2-e301ad call e63220 51->53 54 e2ff4f-e2ff76 51->54 52->49 52->51 53->47 56 e2ffab-e2ffb5 54->56 57 e2ff78 54->57 60 e2ffb7-e2ffbb 56->60 61 e2ffeb 56->61 59 e2ff80-e2ffa9 call e32840 57->59 59->56 64 e2ffc7-e2ffcb 60->64 65 e2ffed-e2ffef 61->65 67 e3019a 64->67 69 e2ffd1-e2ffd8 64->69 66 e2fff5-e3002c 65->66 65->67 70 e3005b-e30065 66->70 71 e3002e-e3002f 66->71 67->53 72 e2ffda-e2ffdc 69->72 73 e2ffde 69->73 75 e30067-e3006f 70->75 76 e300a4 70->76 74 e30030-e30059 call e328a0 71->74 72->73 77 e2ffc0-e2ffc5 73->77 78 e2ffe0-e2ffe2 73->78 74->70 80 e30087-e3008b 75->80 81 e300a6-e300a8 76->81 77->64 77->65 78->77 80->67 83 e30091-e30098 80->83 81->67 84 e300ae-e300c5 81->84 87 e3009a-e3009c 83->87 88 e3009e 83->88 85 e300c7 84->85 86 e300fb-e30102 84->86 89 e300d0-e300f9 call e32900 85->89 90 e30130-e3013c 86->90 91 e30104-e3010d 86->91 87->88 92 e30080-e30085 88->92 93 e300a0-e300a2 88->93 89->86 96 e301c2-e301c7 90->96 95 e30117-e3011b 91->95 92->80 92->81 93->92 95->67 98 e3011d-e30124 95->98 96->53 99 e30126-e30128 98->99 100 e3012a 98->100 99->100 101 e30110-e30115 100->101 102 e3012c-e3012e 100->102 101->95 103 e30141-e30143 101->103 102->101 103->67 104 e30145-e3015b 103->104 104->96 105 e3015d-e3015f 104->105 106 e30163-e30166 105->106 107 e30168-e30188 call e32030 106->107 108 e301bc 106->108 111 e30192-e30198 107->111 112 e3018a-e30190 107->112 108->96 111->96 112->106 112->111
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: J|BJ$V$VY^_$t
              • API String ID: 0-3701112211
              • Opcode ID: e724dda6022c0ca0cc9f5a16f72fb82442dff56affe7b4a9392b9f94972aa327
              • Instruction ID: 406c2acdb4b25820bafa6f6641d54526a9e10f25b94f2c45830b35daff46fe03
              • Opcode Fuzzy Hash: e724dda6022c0ca0cc9f5a16f72fb82442dff56affe7b4a9392b9f94972aa327
              • Instruction Fuzzy Hash: 09D1787460D3909BD315DF1495A861FBFF1AB92B48F14982CF4C9AB252C335CD09DB92
              Function 00E2D110 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 149 e2d110-e2d11b call e64cc0 152 e2d121-e2d130 call e5c8d0 149->152 153 e2d2ee-e2d2f6 ExitProcess 149->153 157 e2d136-e2d15f 152->157 158 e2d2e9 call e656e0 152->158 162 e2d161 157->162 163 e2d196-e2d1bf 157->163 158->153 166 e2d170-e2d194 call e2d300 162->166 164 e2d1c1 163->164 165 e2d1f6-e2d20c 163->165 167 e2d1d0-e2d1f4 call e2d370 164->167 168 e2d239-e2d23b 165->168 169 e2d20e-e2d20f 165->169 166->163 167->165 173 e2d286-e2d2aa 168->173 174 e2d23d-e2d25a 168->174 172 e2d210-e2d237 call e2d3e0 169->172 172->168 176 e2d2d6 call e2e8f0 173->176 177 e2d2ac-e2d2af 173->177 174->173 180 e2d25c-e2d25f 174->180 186 e2d2db-e2d2dd 176->186 181 e2d2b0-e2d2d4 call e2d490 177->181 184 e2d260-e2d284 call e2d440 180->184 181->176 184->173 186->158 189 e2d2df-e2d2e4 call e32f10 call e30b40 186->189 189->158
              APIs
              • ExitProcess.KERNEL32(00000000), ref: 00E2D2F1
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: b816d32722c65b88c720e42a84dd6e28b576027a45a6167973a85f41b0c57bc7
              • Instruction ID: c46346aff351ad2874b544f05121765c5fe8630f567ba3328d7d754c8a84c0b9
              • Opcode Fuzzy Hash: b816d32722c65b88c720e42a84dd6e28b576027a45a6167973a85f41b0c57bc7
              • Instruction Fuzzy Hash: E541357540D390ABD301BB64E984A2EFBF5EF52749F14AC0CE6C4A7262C335D8149B67
              Function 00E65700 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 194 e65700-e65714 195 e65797-e657a5 call e63220 194->195 196 e657b2 194->196 197 e657b0 194->197 198 e6578c-e65795 call e631a0 194->198 199 e6571b-e65722 194->199 200 e65729-e6574a 194->200 195->197 201 e657b4-e657b9 196->201 197->196 198->201 199->195 199->196 199->197 199->200 202 e65776-e6578a RtlReAllocateHeap 200->202 203 e6574c-e6574f 200->203 202->201 206 e65750-e65774 call e65b30 203->206 206->202
              APIs
              • RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00E65784
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 95049e33a883f3675c7cb4082da1b4c6aca3a0d194019a155db91ea108085edc
              • Instruction ID: 1855331628ccfd783e9fc01c53a87ac79ed8e8c3a8d6c7755a403c0ebe33190b
              • Opcode Fuzzy Hash: 95049e33a883f3675c7cb4082da1b4c6aca3a0d194019a155db91ea108085edc
              • Instruction Fuzzy Hash: 01119E71A5C240EBC301EF28F840A1BBBF5EF96750F059828E4C8AB221D335E955DB93
              Function 00E65BB0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 221 e65bb0-e65be2 LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(00E6973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00E65BDE
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
              • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
              • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
              • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
              Function 00E6695B Relevance: 1.4, Strings: 1, Instructions: 100COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 250 e6695b-e6696b call e64a20 253 e66981-e66a02 250->253 254 e6696d 250->254 256 e66a36-e66a42 253->256 257 e66a04 253->257 255 e66970-e6697f 254->255 255->253 255->255 258 e66a44-e66a4f 256->258 259 e66a85-e66a9f 256->259 260 e66a10-e66a34 call e673e0 257->260 261 e66a50-e66a57 258->261 260->256 264 e66a60-e66a66 261->264 265 e66a59-e66a5c 261->265 264->259 267 e66a68-e66a7d call e65bb0 264->267 265->261 266 e66a5e 265->266 266->259 269 e66a82 267->269 269->259
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 4111327afb54d45a58cd736c4ec52efc7c40de3a18c72b4bf71617f9f77bcee8
              • Instruction ID: d94166c1bbe66a9b038c884c536766e7192d7cb9bd7170867c67aeb1c0d3c0e4
              • Opcode Fuzzy Hash: 4111327afb54d45a58cd736c4ec52efc7c40de3a18c72b4bf71617f9f77bcee8
              • Instruction Fuzzy Hash: 3031CDB15683018FD708DF25E89072BB7F1FF84388F04A81CE5C6A7261E3749944CB52
              Function 00E3049B Relevance: .3, Instructions: 264COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 270 e3049b-e30515 call e2c9f0 274 e30242-e30244 270->274 275 e30482-e30484 270->275 276 e30440-e30458 call e65700 270->276 277 e30480 270->277 278 e30227-e3023b 270->278 279 e30246-e30260 270->279 280 e30386-e3038c 270->280 281 e30308-e3030c 270->281 282 e303ec-e303f4 270->282 283 e30393-e30397 270->283 284 e30472-e30477 270->284 285 e30311-e30320 270->285 286 e30370-e3037e 270->286 287 e303d0-e303d7 270->287 288 e30417-e30430 270->288 289 e30356 270->289 290 e3045b-e30469 call e65700 270->290 291 e303fb-e30414 270->291 292 e30339-e3034f 270->292 293 e3035f-e30367 270->293 294 e303be 270->294 295 e303de-e303e3 270->295 296 e3051c-e3051e 270->296 300 e30296-e302bd 274->300 297 e3048d-e30496 275->297 276->290 278->274 278->275 278->276 278->277 278->279 278->280 278->281 278->282 278->283 278->284 278->285 278->286 278->287 278->288 278->289 278->290 278->291 278->292 278->293 278->294 278->295 301 e30262 279->301 302 e30294 279->302 280->275 280->277 280->283 280->284 281->297 282->275 282->277 282->283 282->284 282->291 307 e303a0-e303b7 283->307 284->277 304 e30327-e30332 285->304 286->280 287->275 287->277 287->280 287->282 287->283 287->284 287->288 287->291 287->295 288->276 289->293 290->284 291->288 292->275 292->276 292->277 292->280 292->282 292->283 292->284 292->286 292->287 292->288 292->289 292->290 292->291 292->293 292->294 292->295 293->286 294->287 295->282 299 e30520-e30b30 296->299 297->299 309 e302ea-e30301 300->309 310 e302bf 300->310 308 e30270-e30292 call e32eb0 301->308 302->300 304->275 304->276 304->277 304->280 304->282 304->283 304->284 304->286 304->287 304->288 304->289 304->290 304->291 304->292 304->293 304->294 304->295 307->275 307->276 307->277 307->280 307->282 307->283 307->284 307->287 307->288 307->290 307->291 307->294 307->295 308->302 309->275 309->276 309->277 309->280 309->281 309->282 309->283 309->284 309->285 309->286 309->287 309->288 309->289 309->290 309->291 309->292 309->293 309->294 309->295 317 e302c0-e302e8 call e32e70 310->317 317->309
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad26d5c4ec0acafb1f3c0fe6312da54d90a6a6509bef4ee4192aaa9fc4ff6e5e
              • Instruction ID: da9ef730685e84987304f96ed4cebb66dc9ada1f74682db3e8e9f863a7b983df
              • Opcode Fuzzy Hash: ad26d5c4ec0acafb1f3c0fe6312da54d90a6a6509bef4ee4192aaa9fc4ff6e5e
              • Instruction Fuzzy Hash: FE919B75200B00DFD724CF26E894A17B7F6FF89310F118A6CE8569BAA2D771E819CB50
              Function 00E30228 Relevance: .2, Instructions: 218COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 324 e30228-e3023b 325 e30242-e30244 324->325 326 e30482-e30484 324->326 327 e30440-e30458 call e65700 324->327 328 e30480 324->328 329 e30246-e30260 324->329 330 e30386-e3038c 324->330 331 e30308-e3030c 324->331 332 e303ec-e303f4 324->332 333 e30393-e30397 324->333 334 e30472-e30477 324->334 335 e30311-e30320 324->335 336 e30370-e3037e 324->336 337 e303d0-e303d7 324->337 338 e30417-e30430 324->338 339 e30356 324->339 340 e3045b-e30469 call e65700 324->340 341 e303fb-e30414 324->341 342 e30339-e3034f 324->342 343 e3035f-e30367 324->343 344 e303be 324->344 345 e303de-e303e3 324->345 348 e30296-e302bd 325->348 346 e3048d-e30b30 326->346 327->340 349 e30262 329->349 350 e30294 329->350 330->326 330->328 330->333 330->334 331->346 332->326 332->328 332->333 332->334 332->341 355 e303a0-e303b7 333->355 334->328 352 e30327-e30332 335->352 336->330 337->326 337->328 337->330 337->332 337->333 337->334 337->338 337->341 337->345 338->327 339->343 340->334 341->338 342->326 342->327 342->328 342->330 342->332 342->333 342->334 342->336 342->337 342->338 342->339 342->340 342->341 342->343 342->344 342->345 343->336 344->337 345->332 357 e302ea-e30301 348->357 358 e302bf 348->358 356 e30270-e30292 call e32eb0 349->356 350->348 352->326 352->327 352->328 352->330 352->332 352->333 352->334 352->336 352->337 352->338 352->339 352->340 352->341 352->342 352->343 352->344 352->345 355->326 355->327 355->328 355->330 355->332 355->333 355->334 355->337 355->338 355->340 355->341 355->344 355->345 356->350 357->326 357->327 357->328 357->330 357->331 357->332 357->333 357->334 357->335 357->336 357->337 357->338 357->339 357->340 357->341 357->342 357->343 357->344 357->345 364 e302c0-e302e8 call e32e70 358->364 364->357
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d9df747931da8e89ea46ad5c8af96b5178bf19e505a17cd5726b875909486bc
              • Instruction ID: ba42aab752720a70402af8b205156d5900986db3b06682e6235c8fea9ca828a2
              • Opcode Fuzzy Hash: 6d9df747931da8e89ea46ad5c8af96b5178bf19e505a17cd5726b875909486bc
              • Instruction Fuzzy Hash: 72717975200700DFD724CF22E898A27BBF6FF89314F10896CE8569B6A2D771A819CB50
              Function 00E699D0 Relevance: .1, Instructions: 143COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: febf48ad65306c6a117a9b52c400590b19f236ccd2213f8de6d5ffb7c02bbd80
              • Instruction ID: ae305e21b33ff3abbcd66d520f1d5163dc216442aa826417baf0ee80eb2a745e
              • Opcode Fuzzy Hash: febf48ad65306c6a117a9b52c400590b19f236ccd2213f8de6d5ffb7c02bbd80
              • Instruction Fuzzy Hash: BE41D035288300AFD714DF55E990B2FB7F9EB85798F14A82CF589A7242D371E800CB66
              Function 00E663B8 Relevance: .1, Instructions: 99COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 822d25d6dbee50913d8e7af9ebd63898144f9072f73b2dfe76e926f5153a7cda
              • Instruction ID: 3c216c87991eac3f6deafbcd0792e26883f35702877cf1b78d3a4f40ff3084bd
              • Opcode Fuzzy Hash: 822d25d6dbee50913d8e7af9ebd63898144f9072f73b2dfe76e926f5153a7cda
              • Instruction Fuzzy Hash: 3B312570698301BED624DB05ED82F3AB7A2FB80B94F64690CF1917B2D1C7B0A8508B52
              Function 00E30EEC Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acdd5e76ab06be3a61b780d4ef295b7f7590147a5654fcefc71e9269da8bcc75
              • Instruction ID: aa46fbe1996c08eaeeb8de5ac7022f32258a7075d98a6163b02a4d0e711db20b
              • Opcode Fuzzy Hash: acdd5e76ab06be3a61b780d4ef295b7f7590147a5654fcefc71e9269da8bcc75
              • Instruction Fuzzy Hash: 042139B4A0021A9FDB15CF94DCA4BBEBBB1FB4A304F144848E511BB292C735A901CB64
              Function 00E63220 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 211 e63220-e6322f 212 e63236-e63252 211->212 213 e632a2-e632a6 RtlFreeHeap 211->213 214 e632a0 211->214 215 e632ac-e632b0 211->215 216 e63286-e63296 212->216 217 e63254 212->217 213->215 214->213 216->214 218 e63260-e63284 call e65af0 217->218 218->216
              APIs
              • RtlFreeHeap.NTDLL(?,00000000), ref: 00E632A6
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: cf6570b9642d521e9bb603b0fb1dd1bee23c7f3c83b0fa8cf068e03b8172c6f8
              • Instruction ID: 0d93e874a21fcdbfc572bf718234f1355ece6a1727d0243ed6bfda95d8aaebb3
              • Opcode Fuzzy Hash: cf6570b9642d521e9bb603b0fb1dd1bee23c7f3c83b0fa8cf068e03b8172c6f8
              • Instruction Fuzzy Hash: 4001AD3050D240AFC301EF28E894A1ABBF8EF4A700F05491CE4C8AB321D335DC64DB92
              Function 00E63202 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 222 e63202-e63211 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,00000000), ref: 00E63208
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 3a0c76e5b74b79dd900c8670add19680f972f8b3841ec87cd664cc3132df2797
              • Instruction ID: 4b413da9799bb5322b9347f52b17f9280915dd61f5a6ab3e6d541b8e4e78e398
              • Opcode Fuzzy Hash: 3a0c76e5b74b79dd900c8670add19680f972f8b3841ec87cd664cc3132df2797
              • Instruction Fuzzy Hash: 0DB012300400005FDA081B00EC0AF003520EF00605F800050E104140B1D16158B8C554

              Non-executed Functions

              Function 00E523E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$#v
              • API String ID: 0-2260822535
              • Opcode ID: ff582884ca58b9072fc99eb80997e78efdcdaa28d03f2f95f141d8c2e896bc01
              • Instruction ID: add9613ef17de52e9ae5576a54fc6937aab2de19965504c4db7a3ccf46ff4516
              • Opcode Fuzzy Hash: ff582884ca58b9072fc99eb80997e78efdcdaa28d03f2f95f141d8c2e896bc01
              • Instruction Fuzzy Hash: BA33DE70504B818FD7258F38C590762BBF1BF16305F58598DE8DAAB792C735E80ACB61
              Function 00E3DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
              • API String ID: 2994545307-1418943773
              • Opcode ID: 4bfd689f19b140ca4406eb3d78a1a980123264c2aaa7d59490e746c6a25d93d3
              • Instruction ID: a140e30c1291eee1a3c5d48315fe4c99efb44f3ce867a638ddfea257023766d1
              • Opcode Fuzzy Hash: 4bfd689f19b140ca4406eb3d78a1a980123264c2aaa7d59490e746c6a25d93d3
              • Instruction Fuzzy Hash: 15F288B05093819FD774CF14D888BABBBE2BFD5344F54582CE4C9AB291DB719884CB92
              Function 00E49F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
              • API String ID: 0-1131134755
              • Opcode ID: f09170208b42afc44e4d38ccb0f39e3d6e0ba9f48c4aeeb6602843f69a28ac26
              • Instruction ID: 3054421e415943348fe1e42efe3378c1d87e96c93b7494dfa09f81b7557cbe81
              • Opcode Fuzzy Hash: f09170208b42afc44e4d38ccb0f39e3d6e0ba9f48c4aeeb6602843f69a28ac26
              • Instruction Fuzzy Hash: 5152C7B404D385CAE270CF25E581B8EBAF1BB92740F609A1DE1ED6B255DB708045CF93
              Function 00E49510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
              • API String ID: 0-655414846
              • Opcode ID: 293c9b058ff36a95d3a0771e2cbd20c80f11258804c3ce2d114919d9fa35b44b
              • Instruction ID: 98be131a533ed8334bb0ce74183c42b7546c063e0ec14178a0dfbf98061c5d91
              • Opcode Fuzzy Hash: 293c9b058ff36a95d3a0771e2cbd20c80f11258804c3ce2d114919d9fa35b44b
              • Instruction Fuzzy Hash: 0DF130B0508380ABD314DF15E881A2BBBF4FB8AB48F145D1CF4D9AB252D374D908CB96
              Function 00E4DD29 Relevance: 18.6, Strings: 14, Instructions: 1142COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: $%*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$r$upH}${E$
              • API String ID: 0-4053686350
              • Opcode ID: 08077f8fa95ef05bac3329052bd4885d765b115b059df289925af0125786a913
              • Instruction ID: d17278d38840603f0dfda4c4f6e3e36444967586ab14db8d0b15ad70acbcbdef
              • Opcode Fuzzy Hash: 08077f8fa95ef05bac3329052bd4885d765b115b059df289925af0125786a913
              • Instruction Fuzzy Hash: 99920371E00205CFDB18CF69E8416AEBBB2FF49314F2981A9E456BB391D731AD45CB90
              Function 00E4098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
              • API String ID: 0-4102007303
              • Opcode ID: d3246c0aa2d204eb3436700ba4cb24160012656235f029c661a8b4b5456992d7
              • Instruction ID: 580d5b5a6d9620c4bd44490ff0ceb82262e8fdef61e483841c89798db4279b36
              • Opcode Fuzzy Hash: d3246c0aa2d204eb3436700ba4cb24160012656235f029c661a8b4b5456992d7
              • Instruction Fuzzy Hash: AF6288B16083818FD730CF14E891BABB7E1FF96314F08592DE49A9B641E3759984CB93
              Function 00E21000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
              • API String ID: 0-2517803157
              • Opcode ID: 52f471d1a82af99e2dc1888edcdeb28b1d12cfaf27d72bba8a394d915708c26e
              • Instruction ID: f098e1690a6bbc0d22b3595e46b4b5e24d290c0b43a7f9ad2675ea147727cf1a
              • Opcode Fuzzy Hash: 52f471d1a82af99e2dc1888edcdeb28b1d12cfaf27d72bba8a394d915708c26e
              • Instruction Fuzzy Hash: 64D257316083619FC718CE28D48036ABBE2AFD5318F18DA6DE599E7391D734DE45CB82
              Function 00FF778E Relevance: 10.4, Strings: 7, Instructions: 1636COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: ?Ggv$MM$Oy~k$cXwU$m%!W$2wx$k_k
              • API String ID: 0-1727752228
              • Opcode ID: 1b7e033d2b3beb97cb4acde9f29f7a336d8525cb2aa0ad440388716aebdbac01
              • Instruction ID: 846b024bb5db6d83e839bcf9988c25ba1ddf4ff0c3ce6bc442875ef6643f8f14
              • Opcode Fuzzy Hash: 1b7e033d2b3beb97cb4acde9f29f7a336d8525cb2aa0ad440388716aebdbac01
              • Instruction Fuzzy Hash: 19B208F360C6009FE304AE2DEC8567AFBE5EF94720F1A453DE6C5C3744EA3558058696
              Function 00FEBDFB Relevance: 7.8, Strings: 5, Instructions: 1572COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: OtE$WhQ!$hEu~$yHE$s
              • API String ID: 0-113979995
              • Opcode ID: 0acd1a20592d6b2215715f650b4b2aa5019fc3c83dc62d49ab5ba6b99dec70e1
              • Instruction ID: 0f48b5165bf8b85c2d18379c2dc1804af9e3c6089aa45c903e00c74e6df756f7
              • Opcode Fuzzy Hash: 0acd1a20592d6b2215715f650b4b2aa5019fc3c83dc62d49ab5ba6b99dec70e1
              • Instruction Fuzzy Hash: 3DA2F9F3A0C2049FE304AE69EC8567AB7E9EF94720F16493DEAC5C7344E63598018797
              Function 00E212F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: 0$0$0$@$i
              • API String ID: 0-3124195287
              • Opcode ID: 52c6d398fc858bdb29b1bb2ddae4ef8491c4a5c831e9884298e293d9cd1c5531
              • Instruction ID: f732a9b9d5bd73b4a0880a6426e7c7f9982b8640e423133a59c00626f08be8fd
              • Opcode Fuzzy Hash: 52c6d398fc858bdb29b1bb2ddae4ef8491c4a5c831e9884298e293d9cd1c5531
              • Instruction Fuzzy Hash: B162133160C3A19FC318CF28D49036ABBE1AFD5308F189A5DE9D9A7391D774D949CB82
              Function 00E2164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
              • API String ID: 0-1123320326
              • Opcode ID: d1a8edf9b9e2b1f5e57d339c8c7abb6a71a1feb24a931e7b0f63710b1cb022f3
              • Instruction ID: 5c88512c76c50360e8e4758d26aa6c95be8ae0c97a09cc230c25fae6908c0df8
              • Opcode Fuzzy Hash: d1a8edf9b9e2b1f5e57d339c8c7abb6a71a1feb24a931e7b0f63710b1cb022f3
              • Instruction Fuzzy Hash: 1BF1D13060C3A19FC715CE28D48436AFBE2AFD9308F189A6DE5D997352D734D944CB92
              Function 00E213A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
              • API String ID: 0-3620105454
              • Opcode ID: 2b2e8f075c451a6ae8b1aecacb10a9a998ec48fe79c94041963553a8b82a8a3c
              • Instruction ID: fbc3d11b7b26ffbd21995e943fb60171e739f80104a62f724e16f435723344d5
              • Opcode Fuzzy Hash: 2b2e8f075c451a6ae8b1aecacb10a9a998ec48fe79c94041963553a8b82a8a3c
              • Instruction Fuzzy Hash: 20D1CF3160C3919FC719CE29D48026AFFE2AFD9308F08DA6DE4D997352D634DA49CB52
              Function 00E4FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: :$NA_I$m1s3$uvw
              • API String ID: 0-3973114637
              • Opcode ID: a8a26d6c933ad621ffad18b19f672bac5ef9fcb4343c92d57d5d08252a956319
              • Instruction ID: 45ead688a70e62b117c57ef3ed6ae4eecb1072a4264511f58ec0b38465b1039d
              • Opcode Fuzzy Hash: a8a26d6c933ad621ffad18b19f672bac5ef9fcb4343c92d57d5d08252a956319
              • Instruction Fuzzy Hash: AD32CAB0508380CFD310DF29D881A2ABBE1AB8A355F145D6CF9D5AB2A2D335D949CF52
              Function 00E33BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+($;z$p$ss
              • API String ID: 0-2391135358
              • Opcode ID: e2a95182d06c7ed1255bb92c5eed2cc47b93068df5914be0353f75160a0f4a79
              • Instruction ID: 28179fd1cd10290010f01713b2feb29fb1153b8ccf283314d9b458b29513ef0a
              • Opcode Fuzzy Hash: e2a95182d06c7ed1255bb92c5eed2cc47b93068df5914be0353f75160a0f4a79
              • Instruction Fuzzy Hash: D7025CB4810B00DFD760DF25D98AB56BFF5FF01300F50595DE89A9B696E370A418CBA2
              Function 00FF4122 Relevance: 5.4, Strings: 3, Instructions: 1644COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: 0IY$UP_[$oDl^
              • API String ID: 0-1816934101
              • Opcode ID: 63c2ec95389074cce56f7b0f4f3a6db9d625a36dfda8df85095ed627bfb788c4
              • Instruction ID: d9012e49e9046f35d5f2d7b506dcc1bcbdc92be0947e0f37e38b68b2e138baba
              • Opcode Fuzzy Hash: 63c2ec95389074cce56f7b0f4f3a6db9d625a36dfda8df85095ed627bfb788c4
              • Instruction Fuzzy Hash: 35B237F3A082149FE3046E2DEC8567AFBE9EF94720F1A493DEAC4C7744E63558058792
              Function 00E42260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: a|$hu$lc$sj
              • API String ID: 0-3748788050
              • Opcode ID: 7d48594d0b8b1ffb696dfaba10f71069683009cad9b7e9cfd61fc24121404855
              • Instruction ID: 9f07f3370eb01cbfc7be865f1fca4c56d04c5d6ba4fe30a2d50b0bf5df2cf37c
              • Opcode Fuzzy Hash: 7d48594d0b8b1ffb696dfaba10f71069683009cad9b7e9cfd61fc24121404855
              • Instruction Fuzzy Hash: F1A19DB04083418BC720DF18D891A2BB7F0FF95758F54AA0CF9D5AB291E339D945CB96
              Function 00FED845 Relevance: 5.3, Strings: 3, Instructions: 1595COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: nSn$p3}x$`Z
              • API String ID: 0-1453664566
              • Opcode ID: 67e813cbda39bba401668523173d83d8056c059ea6450796643e69d07f549945
              • Instruction ID: 638194cf31970384201cf85b60aae47b623dbaf0c6b2f86cb48ea09a109eed9d
              • Opcode Fuzzy Hash: 67e813cbda39bba401668523173d83d8056c059ea6450796643e69d07f549945
              • Instruction Fuzzy Hash: 01B217F360C2049FE3046E29EC8567AFBE5EFD4720F1A493DE6C4C7744EA3598058696
              Function 00E4D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: #'$CV$KV$T>
              • API String ID: 0-95592268
              • Opcode ID: 79fbd54c5d775d903c6647c7c664ca483c552da32de1000872181689ceac1621
              • Instruction ID: 9fb1a485be11a1335c442e8483ee603e86217695594fc19e0c1f0975db0937ff
              • Opcode Fuzzy Hash: 79fbd54c5d775d903c6647c7c664ca483c552da32de1000872181689ceac1621
              • Instruction Fuzzy Hash: C68166B48057459BCB20DFA5D68516EBFB1FF16300F605A0CE886BBA55C330AA55CFE2
              Function 00F4C7F9 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: R3W$&wN$5Dow$K_
              • API String ID: 0-1591815496
              • Opcode ID: ffdd9f71d25ba4339f8aec9ad7b706988fc87c852ed622e8ff9a490c42598049
              • Instruction ID: b1c43c8755f46ac828823e0ef2f256d406ea0211e7776fc9bbd8bab74c870205
              • Opcode Fuzzy Hash: ffdd9f71d25ba4339f8aec9ad7b706988fc87c852ed622e8ff9a490c42598049
              • Instruction Fuzzy Hash: CF515CF3B083045BE308AA6DEC85B3BB7D9DB94720F19453CDB89C3785E8395D064596
              Function 00E4AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: (g6e$,{*y$4c2a$lk
              • API String ID: 0-1327526056
              • Opcode ID: 448edaac791b51cced5614f593534c8d267ac92dd4e4c8e4608fb9d6cf5898f6
              • Instruction ID: a0f9465b15453db09105f8d649b393f3ef1bed7d1c2b775de78747efda2c0317
              • Opcode Fuzzy Hash: 448edaac791b51cced5614f593534c8d267ac92dd4e4c8e4608fb9d6cf5898f6
              • Instruction Fuzzy Hash: C4417774808381CAD720DF24E900BABB7F4FF86349F54696DE5C8A7260DB31D949CB96
              Function 00E4C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+($%*+($~/i!
              • API String ID: 0-4033100838
              • Opcode ID: 59c687510b0c297350d7205027a9fee61e01e4a59ec2456dbae59e932e66e966
              • Instruction ID: b5a8519bec4ef006284ef13ec0a1f43c9b7634fbb2c3289384b6d80ed5b77770
              • Opcode Fuzzy Hash: 59c687510b0c297350d7205027a9fee61e01e4a59ec2456dbae59e932e66e966
              • Instruction Fuzzy Hash: 45E1B7B1509340EFE324DF69E881B1ABBF5FB85344F18982CE689A7251D731D858CB92
              Function 00E28590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: )$)$IEND
              • API String ID: 0-588110143
              • Opcode ID: 1b1ef7eba5e8d8bb044e031ca2363b03737c6fdbea77278b4002f62c88d3720c
              • Instruction ID: d99e84c5aef3b281481b0dd80c16e749d8976f7b10acaab55fd95560c72a8818
              • Opcode Fuzzy Hash: 1b1ef7eba5e8d8bb044e031ca2363b03737c6fdbea77278b4002f62c88d3720c
              • Instruction Fuzzy Hash: C0E1D3B1A087119FE310CF28E84176AFBE0BF94318F14592DE599A7381DB75E954CBC2
              Function 00FEF2E4 Relevance: 4.1, Strings: 2, Instructions: 1598COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: <o$c}w
              • API String ID: 0-2106396876
              • Opcode ID: 2c3a7c54809a6e664c7de0a390e7f9fdd53c95cbdfcbd16ea4b1a0c26c7d2d33
              • Instruction ID: 59860a03910aa05ed1703231d19a0fba1b672d2459707e277f1eadefbf4f0597
              • Opcode Fuzzy Hash: 2c3a7c54809a6e664c7de0a390e7f9fdd53c95cbdfcbd16ea4b1a0c26c7d2d33
              • Instruction Fuzzy Hash: 0CA218F3A0C614AFE3046E2DEC8567ABBE9EF94320F16493DEAC4C7740E63558058796
              Function 00FEA469 Relevance: 4.0, Strings: 2, Instructions: 1531COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: YQUG$]+q
              • API String ID: 0-784011609
              • Opcode ID: 234ece7b9f58bee28007725f432e58f8387ef839c3243518d4cd2d45637665e2
              • Instruction ID: 332b1d642817b0584af9351ae10aef0d280a26c733d820f8bce5fac897d909b8
              • Opcode Fuzzy Hash: 234ece7b9f58bee28007725f432e58f8387ef839c3243518d4cd2d45637665e2
              • Instruction Fuzzy Hash: 45A2F8F3A0C2009FE3046E29EC8567AFBE9EFD4720F1A853DE6C487744EA3558458697
              Function 00FF6134 Relevance: 3.7, Strings: 2, Instructions: 1218COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: BB}~${6Z%
              • API String ID: 0-1653305607
              • Opcode ID: 5f0b8a74f341cac22755df192f0d36235a99e9f6c3cffc7012e4f0e0777c5253
              • Instruction ID: 4d019491d26d047b49370325f65810e15020dcc3cf5bae9db3720eda2efaea1b
              • Opcode Fuzzy Hash: 5f0b8a74f341cac22755df192f0d36235a99e9f6c3cffc7012e4f0e0777c5253
              • Instruction Fuzzy Hash: 3E8207F360C2049FE3046E2DDC8567AFBE9EF94720F16893DEAC4C3744EA7598058696
              Function 00FE94B7 Relevance: 3.3, Strings: 2, Instructions: 752COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: 3,=_$T|W
              • API String ID: 0-2829262593
              • Opcode ID: c0a12eb58b947f5cde991252e8edadc77e78fbe05806b53b1b3b5a999035b302
              • Instruction ID: d027e21a7b3ae490c9c4c1e5fd7352d3b2071c144f45cca5b5b066c407b98aa5
              • Opcode Fuzzy Hash: c0a12eb58b947f5cde991252e8edadc77e78fbe05806b53b1b3b5a999035b302
              • Instruction Fuzzy Hash: 34224BF390C6049FE3046E2DEC8167BFBE9EB94660F1A463DEAC4C7744EA3558058687
              Function 00E64040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+($f
              • API String ID: 0-2038831151
              • Opcode ID: ec09332df0dc16cc6ff1f0f93707a822d79332838655c1450b67e6ba58267753
              • Instruction ID: ffdcabaf3cfd66f339029fe728c5e7ee9ad902590b0cbd4737ac26d8ea5a6423
              • Opcode Fuzzy Hash: ec09332df0dc16cc6ff1f0f93707a822d79332838655c1450b67e6ba58267753
              • Instruction Fuzzy Hash: 4412CFB15483408FC715CF14E880B2EBBE1FB8A358F149A2DF495A7391D771E845CB92
              Function 00E5F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: dg$hi
              • API String ID: 0-2859417413
              • Opcode ID: 5a6ce1d73b063de8508f5e064c80ae2fcd7f27d31dc5e223b19c27d3d10fc453
              • Instruction ID: 84fafd2fc22891f0bae6418a62873e71521b87fd9c2ad0e8b95697bc6f8ed135
              • Opcode Fuzzy Hash: 5a6ce1d73b063de8508f5e064c80ae2fcd7f27d31dc5e223b19c27d3d10fc453
              • Instruction Fuzzy Hash: A2F18571618301EFE708CF25D891B2ABBE6EB85345F14AD2CF595AB2A1C735D848CB12
              Function 00E235B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: Inf$NaN
              • API String ID: 0-3500518849
              • Opcode ID: 7e667e1b0682f496da42c1693f5d446326c0f523dfd3c0f6e2134436882f681e
              • Instruction ID: c3f4176b5a6dfa13f6ff8d11303c0ee29d2938ad1a04e6bea338449bc187f608
              • Opcode Fuzzy Hash: 7e667e1b0682f496da42c1693f5d446326c0f523dfd3c0f6e2134436882f681e
              • Instruction Fuzzy Hash: 2AD1F7B1A083219BC708CF29D88061FB7E5EBC8750F14993DF999A7390E675DD448F82
              Function 00E3FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: BaBc$Ye[g
              • API String ID: 0-286865133
              • Opcode ID: 72a2ae6e6a7bbb6ef214095ff5d3d5248d70ba62376d73632e61324e4f92becf
              • Instruction ID: af7239270e343b7181641e245687b82678570887a5faea301715eb31f296eeb5
              • Opcode Fuzzy Hash: 72a2ae6e6a7bbb6ef214095ff5d3d5248d70ba62376d73632e61324e4f92becf
              • Instruction Fuzzy Hash: 9B519BB16083818AD331CF14D481BABB7E0FF96314F196D2DE4DAAB691E3749940CB57
              Function 00E25160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %1.17g
              • API String ID: 0-1551345525
              • Opcode ID: baa3c8b3a4bd24417fe87923a0a6cfb7b14647d0b4c8bc00c971b952feaa1848
              • Instruction ID: 49953649254198389d75f8d04b86cba9e2fe63811815286d68b2943fd13b019e
              • Opcode Fuzzy Hash: baa3c8b3a4bd24417fe87923a0a6cfb7b14647d0b4c8bc00c971b952feaa1848
              • Instruction Fuzzy Hash: 5022E6B3908B61CBE7158F18EA40326BBE2AFE0308F1DA56ED8596B351E7B1DC44C741
              Function 00E512D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: "
              • API String ID: 0-123907689
              • Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
              • Instruction ID: cd71babf134c4098180e73ff33181c9888f30e31fb5456977dea6f41179c2958
              • Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
              • Instruction Fuzzy Hash: D5F13771A083414BC724CE28C49076BBBE5AFC5359F1C9DADEC9AA7382D634DD09C792
              Function 00E4AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: 8c19f17d2677eba1f2440cba1a4d6f9038bc05917fa8c5f131d606411108121e
              • Instruction ID: f1341fd108248ad36b280bbb69d72cf42f0e7e676d553e1ec876fa0ad500fb9a
              • Opcode Fuzzy Hash: 8c19f17d2677eba1f2440cba1a4d6f9038bc05917fa8c5f131d606411108121e
              • Instruction Fuzzy Hash: F1E1A971508306CBC724DF2AE89056EB3F2FF98795F54991CE4C5A7260E331E999CB82
              Function 00E36EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: 9dde5592b3db2a7328ead1bb242580f6cd39417cee0ce013a4730a7bfc73a305
              • Instruction ID: 8d6214f37c7fdef4159d750d2f95e8eff196819562bad0e9db7cd4d71457af53
              • Opcode Fuzzy Hash: 9dde5592b3db2a7328ead1bb242580f6cd39417cee0ce013a4730a7bfc73a305
              • Instruction Fuzzy Hash: 99F1AEB5600A019FC724DF35E885A27B7F2FF48314B249A2DD497A76A1EB70F815CB41
              Function 00E47E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: f208fb7fa8cc6471058cb903ef839330f66e671fc6cfad18b34d5e7c1e2b466a
              • Instruction ID: 4b3512c03ba8be7142d36409d8341a0901abefe9da4bb2177fc6782336360006
              • Opcode Fuzzy Hash: f208fb7fa8cc6471058cb903ef839330f66e671fc6cfad18b34d5e7c1e2b466a
              • Instruction Fuzzy Hash: 76C1BE71909200ABD710EF14E982A2FB7F5EF95758F086819F8C5A7352E734ED05CBA2
              Function 00E48D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: 5102c682d0312200cfedc666265fa0e394c5311af4024e5b5404b863d64a7a0b
              • Instruction ID: d5b59967d9137a42fe24ec1472934f0e852a87dbe7b5193b83ca5037e8237c6f
              • Opcode Fuzzy Hash: 5102c682d0312200cfedc666265fa0e394c5311af4024e5b5404b863d64a7a0b
              • Instruction Fuzzy Hash: 2FD1E070618302DFD718DF65EC90A2AB7E5FF88304F09486CE98AE7291D734E994CB51
              Function 00E34487 Relevance: 1.6, Strings: 1, Instructions: 389COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: BI
              • API String ID: 0-1983775064
              • Opcode ID: 4421619c0d9eb25be1a195b64aa06c20d142f140acac6b722b9ccf698cccdd9d
              • Instruction ID: c432293397c539bba484f4e011610953b0ba7cf2ea20e23bb3748c043b71e602
              • Opcode Fuzzy Hash: 4421619c0d9eb25be1a195b64aa06c20d142f140acac6b722b9ccf698cccdd9d
              • Instruction Fuzzy Hash: 29E10FB5501B008FD321CF28E996B97BBE1FF06708F04886DE4AA97692E775B814CB14
              Function 00E67FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: P
              • API String ID: 0-3110715001
              • Opcode ID: 62d17ec5469cca0bf484d818a9fc80387d56ad98256f6fb7f31e8f828b06fb23
              • Instruction ID: 446c4ebc4380529aecb855b09aec3633dc9e48f2b8370547d48fe08898b17ea2
              • Opcode Fuzzy Hash: 62d17ec5469cca0bf484d818a9fc80387d56ad98256f6fb7f31e8f828b06fb23
              • Instruction Fuzzy Hash: DED1F5729482618FC725CE18A89071EB7E1EBC5798F159A2CE8B5BB390CB71DC45C7C1
              Function 00E66CBF Relevance: 1.6, Strings: 1, Instructions: 384COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: "p
              • API String ID: 0-1647296830
              • Opcode ID: d05348a75e43f0104ec39bc457e4360f109fd8bd118b42de3f833e9ca25dff46
              • Instruction ID: bd667ce81cf043cfb3b1ad2d50c08cf87263f5430680b52ba95794869a57bca2
              • Opcode Fuzzy Hash: d05348a75e43f0104ec39bc457e4360f109fd8bd118b42de3f833e9ca25dff46
              • Instruction Fuzzy Hash: EED1F336618351CFC715CF39E88052AF7E2BB89354F094A6DE499E7391D331DA88CB91
              Function 00E4CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: %*+(
              • API String ID: 2994545307-3233224373
              • Opcode ID: 2d26819c56fdbd7ffb18fee48cac9ff2456f6f7ee4e9c4988ab26f072386d20a
              • Instruction ID: 347551f9b16abae0e6a73310c2477a272ec1ecfd86798400bdf8f9c49572f5c6
              • Opcode Fuzzy Hash: 2d26819c56fdbd7ffb18fee48cac9ff2456f6f7ee4e9c4988ab26f072386d20a
              • Instruction Fuzzy Hash: F3B1E071A0A3019BD714DF14E881B3BBBE2EF85344F24692CE5C5AB251E335E859CB92
              Function 00E2A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: ,
              • API String ID: 0-3772416878
              • Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
              • Instruction ID: 36a9a76a71dc90fa19199608db764bd675c68bbf9a468eeae6e3cef353879aee
              • Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
              • Instruction Fuzzy Hash: 56B138711083819FD324CF19D88061BBBE1AFA9704F488E2DF5D997342D671EA58CB97
              Function 00E5FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: f2becf6f2a8b2c96da279cce6ac60557f81d4ade5b6d8eda9a90bbe92e939eb2
              • Instruction ID: d9e7601d94541c28e3a12f813bc88e4a713993e2cf7d93a3877833684d51cfca
              • Opcode Fuzzy Hash: f2becf6f2a8b2c96da279cce6ac60557f81d4ade5b6d8eda9a90bbe92e939eb2
              • Instruction Fuzzy Hash: D181EC71608300AFD714DF65E881B2AB7F5FB89746F049C2CFA88A7251D771D858CB62
              Function 00E3D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: c18f3a7c73c424e6d8a2657fe8f5fdc051371a60234702fb100f4b5f0a23b713
              • Instruction ID: 4dfde748de54e4215fc495f818620533ae29aa19a101319174180e3784e67eb8
              • Opcode Fuzzy Hash: c18f3a7c73c424e6d8a2657fe8f5fdc051371a60234702fb100f4b5f0a23b713
              • Instruction Fuzzy Hash: C761E2B2909214DFD711EF18EC82A2AB7F4FF94358F48182CF989AB251E371D954C792
              Function 00EA5B16 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: BJ0e
              • API String ID: 0-2412438680
              • Opcode ID: b25dbf6c994b126bfaec2b10f7b5e72aed77cf433eaa699604348d11199dff58
              • Instruction ID: 09276be9a8ee2c61a3ea4bb64bd30e139a4ec0046b6db5589ce15bf29a9d44cb
              • Opcode Fuzzy Hash: b25dbf6c994b126bfaec2b10f7b5e72aed77cf433eaa699604348d11199dff58
              • Instruction Fuzzy Hash: 4A71F6F3A082045FF350AE2DDC85766B7D9EB94320F1A453DEBC8D3780E97958058786
              Function 00E64A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: b1853024aed4013cb1262ce3cf049cb2b68ede0dcb4be03329ca0a33b6b04625
              • Instruction ID: 76118878545b0f585723d0453a4c3484cbbb31934c3210c56d526eefaf7ebe15
              • Opcode Fuzzy Hash: b1853024aed4013cb1262ce3cf049cb2b68ede0dcb4be03329ca0a33b6b04625
              • Instruction Fuzzy Hash: FF61FFB16483019FE715DF15E880B2AFBE6EBC5398F18991CE588A7391D772EC40CB51
              Function 00E2E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
              Download Yara Rule
              Strings
              • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00E2E333
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
              • API String ID: 0-2471034898
              • Opcode ID: 26e431d9840fc7039d93076078912536a5688c47e3b2ee14bbcf8f277778ff4e
              • Instruction ID: fdbc7e75dcf0d0865fb3d405cb0b0e2a1e1a2887b81eb34ff2e67d1a5f13787d
              • Opcode Fuzzy Hash: 26e431d9840fc7039d93076078912536a5688c47e3b2ee14bbcf8f277778ff4e
              • Instruction Fuzzy Hash: 6C512823B196B08BD328C93D6C553AA6AC70BA2334B3DD769E9F6AB3F1D55588044390
              Function 00E63920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: 5594384043370f751663e179fce45dcdc15665ba23137cbb2d998a54ab211f18
              • Instruction ID: 638aab1fa58f0023d848b7dc4f0107dd8274a58142e195c3ad3f20097704d056
              • Opcode Fuzzy Hash: 5594384043370f751663e179fce45dcdc15665ba23137cbb2d998a54ab211f18
              • Instruction Fuzzy Hash: EA51D1756482009FCB24DF65E880A2ABBF5FFC5388F14A91CE4CAA7251C371DD10DB62
              Function 00F62680 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: ;?6
              • API String ID: 0-1778944745
              • Opcode ID: feb8c1246e6c08f33ba168d2b746f6c2e89de0b5ed67a564bec5a9f1bf063af9
              • Instruction ID: 971bc05cfd1711610aaa15f34707dccee0af472721674d239613ba3212ffb0ab
              • Opcode Fuzzy Hash: feb8c1246e6c08f33ba168d2b746f6c2e89de0b5ed67a564bec5a9f1bf063af9
              • Instruction Fuzzy Hash: 2041E8F3A182009FE3056D29DC827BAB3D9EB64321F1A493DD7C4C7780E93A98418786
              Function 010862E0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: lP1
              • API String ID: 0-3003734426
              • Opcode ID: 152005fcffcf6297ef0d7845e0990278f9ffe7a8936d9442a80a104551c6e60f
              • Instruction ID: 0de8b8540ba9b09804904380f591f6286d11f31c6279c6f1c47efc788665d0d7
              • Opcode Fuzzy Hash: 152005fcffcf6297ef0d7845e0990278f9ffe7a8936d9442a80a104551c6e60f
              • Instruction Fuzzy Hash: F15139B250C610DFD3157F29D88567EBBE4EF14750F06892EEACA97200DB3658508B97
              Function 00E31BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: L3
              • API String ID: 0-2730849248
              • Opcode ID: 02f4414a5bc5e95aa4bed60fd6f845a944ece3b847a86c85628cfa547b47a049
              • Instruction ID: 4a05046281a9489c6dca3c315de1b79a212d43d9cdce46225a9ef3432cf7e3a2
              • Opcode Fuzzy Hash: 02f4414a5bc5e95aa4bed60fd6f845a944ece3b847a86c85628cfa547b47a049
              • Instruction Fuzzy Hash: 454141B40083809BC7149F25D898A2BBBF0FF86354F04A91CF5C9AB291D736C905CB56
              Function 00E5FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: deb10a5ff7ecac19ac05637b50090d68b41f83e2cfda0c38c7d68745c1523fbc
              • Instruction ID: c39deead839d12834e95813913bcee96df7b5fa0d0ee112ee671e1f0afa22e84
              • Opcode Fuzzy Hash: deb10a5ff7ecac19ac05637b50090d68b41f83e2cfda0c38c7d68745c1523fbc
              • Instruction Fuzzy Hash: 0831FAB1A88311ABD610EA14FC41B2BB7E9EB85788F546C28F885F7252E331DC14C763
              Function 00E4E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: 72?1
              • API String ID: 0-1649870076
              • Opcode ID: bf62108ed5cd8c00864732a3fc268eaab2b10c75da28e795d4666f58cf244f1c
              • Instruction ID: 0a3a542c166095f84ac533deada704d8bdd81c40ccd0ae81b10e8c21d371f9a2
              • Opcode Fuzzy Hash: bf62108ed5cd8c00864732a3fc268eaab2b10c75da28e795d4666f58cf244f1c
              • Instruction Fuzzy Hash: 5531C1B5900305CFDB20CF99F8805AFB7B4FB4A315F241869E54AB7301D335A945CBA2
              Function 00E36F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: %*+(
              • API String ID: 0-3233224373
              • Opcode ID: a204707c0ade403625d76dce2d9b40b97f3e81695697a10f235e3427a053d4e9
              • Instruction ID: a44dd8514b6bdfa4b6ab1802e26214f381fade574f6117239c794b83a2a3279b
              • Opcode Fuzzy Hash: a204707c0ade403625d76dce2d9b40b97f3e81695697a10f235e3427a053d4e9
              • Instruction Fuzzy Hash: E14126B5604B049FD7388B61D998B26BBF2FB49705F149918E5CAAB6A1E371E800CF10
              Function 00E4E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID: 72?1
              • API String ID: 0-1649870076
              • Opcode ID: 7cd2b401446f9f0f84b3e61068bd6305cb30702a8cfadb0f2b97fc7d568699d1
              • Instruction ID: 7061b54545fbef2b1f2f9c9b3fd978fd68d2cb930404c031f4b5266f469a25de
              • Opcode Fuzzy Hash: 7cd2b401446f9f0f84b3e61068bd6305cb30702a8cfadb0f2b97fc7d568699d1
              • Instruction Fuzzy Hash: 3121BCB1900304CFC720CF99E884AAFBBB5BB4A704F24185DE54ABB301C335A945CBA2
              Function 00E69CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: @
              • API String ID: 2994545307-2766056989
              • Opcode ID: 8f20aab2991021f29f138326d1dcb806b6512ed7cb0818cfc6b158af8a4acda7
              • Instruction ID: 23f19c00e73f7880cea0e32e2ece5221e2a7ef5ce3e4f4bd4ab1955524fd3486
              • Opcode Fuzzy Hash: 8f20aab2991021f29f138326d1dcb806b6512ed7cb0818cfc6b158af8a4acda7
              • Instruction Fuzzy Hash: 9C318B709083009BD314DF15E880A2BFBF9FF9A398F14992CE5C8A7252D375D944CBA6
              Function 00E34E2A Relevance: 1.0, Instructions: 957COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67a5a27e1b8620d445242249ffe66778ca7f68be5544b856651b5af33de526ba
              • Instruction ID: 0a9c5ef7086b479d4f4250b1c464238a1f2ca9c48d8762b8e49a97eb0bde41f5
              • Opcode Fuzzy Hash: 67a5a27e1b8620d445242249ffe66778ca7f68be5544b856651b5af33de526ba
              • Instruction Fuzzy Hash: 9E6246B1500B008FD725CF24D985B27BBF6AF4A704F54992CD49A9BB92E771F808CB91
              Function 00E2BEB0 Relevance: .9, Instructions: 895COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
              • Instruction ID: 78c80a25115f46f5a0f84f635acd868f48ee0a02bc8213424a3835b4e636ace9
              • Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
              • Instruction Fuzzy Hash: B252F9325087218BC725DF18E8402BEB3E1FFD5319F399A2DD9D6A3290D774A851CB86
              Function 00E68652 Relevance: .7, Instructions: 710COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3feead4a51b4489aa4872adf1786bfc48a973c75ba06ce3e3a251f8503a2694
              • Instruction ID: e481559d5b38d11d0fdc099a0638228cab2443f4af7bb09ac17706be664010ab
              • Opcode Fuzzy Hash: f3feead4a51b4489aa4872adf1786bfc48a973c75ba06ce3e3a251f8503a2694
              • Instruction Fuzzy Hash: 1622FD75609340CFC704EF69E89062AB7F1FF89315F49896DE589A73A2C731D894CB42
              Function 00E686F0 Relevance: .7, Instructions: 681COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acf9532e1d52814914db5937a4a0a3accc694a62cb64ac5177a12c5a48fc62ef
              • Instruction ID: 2467ff24e8fe054503eb0255f9534dfd7bcc0207c73c0f1338b9ed281bf68434
              • Opcode Fuzzy Hash: acf9532e1d52814914db5937a4a0a3accc694a62cb64ac5177a12c5a48fc62ef
              • Instruction Fuzzy Hash: 7022DD75609340DFC704EF69E89061ABBF5FF8A345F09896DE489A73A2C731D894CB42
              Function 00E2B3A0 Relevance: .7, Instructions: 670COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6708834c4cd55ca2044570f5ecce9a52f1dd2a9114a5661dc23ab0542d9695bb
              • Instruction ID: cd2d4d35181abf152b6cf4a6d982942853ecfc5d06babd563ee12bfaee21ddb6
              • Opcode Fuzzy Hash: 6708834c4cd55ca2044570f5ecce9a52f1dd2a9114a5661dc23ab0542d9695bb
              • Instruction Fuzzy Hash: 2452B470908B988FE735CB24D4843A7BBE2EF91318F146D2EC5D61ABC2C779A885C751
              Function 00E271F0 Relevance: .7, Instructions: 657COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8eaf4c01bf17832c661f74b6a6c55ece0ad3eb475851ddfaae1c9a6e6d60a61f
              • Instruction ID: 8b8d5d33d4fa7aac76d14c1a53077c18da05625d96e184974bde223e04769157
              • Opcode Fuzzy Hash: 8eaf4c01bf17832c661f74b6a6c55ece0ad3eb475851ddfaae1c9a6e6d60a61f
              • Instruction Fuzzy Hash: AD52E27150C3658FCB18CF28D0806AABBE1FF88318F199A6DE8D967351D774D989CB81
              Function 00E28FD0 Relevance: .6, Instructions: 620COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 812513df8c67207acf470de620676834a71b4f766e796c9717dea0061fd45d77
              • Instruction ID: 592dc71f81db6c8865154a78fd5f906756ed54d3c18f9bed5c102c96ae4f8ee5
              • Opcode Fuzzy Hash: 812513df8c67207acf470de620676834a71b4f766e796c9717dea0061fd45d77
              • Instruction Fuzzy Hash: 48428779608301DFD708CF29E85075ABBE1BF88354F09986CE4859B3A2D775D989CF82
              Function 00E27BF0 Relevance: .6, Instructions: 592COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 11cc86ef971baa5df45cd7ac8a53da33bf48fbf7d0724093a20380005189eb7c
              • Instruction ID: 198feee8441c25a87f248276b354b20c9885f7fc9c0877fe220b9eec690a1264
              • Opcode Fuzzy Hash: 11cc86ef971baa5df45cd7ac8a53da33bf48fbf7d0724093a20380005189eb7c
              • Instruction Fuzzy Hash: 07323270619B208FC328CF29D690566BBF1FF45710B606A2ED6A7A7F90D736B845CB10
              Function 00E689A0 Relevance: .5, Instructions: 545COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0352404f2b5d143ab5458ca06a65c87247402e2b84c481549a1377430cc8db76
              • Instruction ID: ad05659b6d9ac5456a0b7cc6e00a33918a00e2f18bbc9f9e5378b49e1a8929df
              • Opcode Fuzzy Hash: 0352404f2b5d143ab5458ca06a65c87247402e2b84c481549a1377430cc8db76
              • Instruction Fuzzy Hash: C302BC74608380DFC704DF69E88061AFBE5EF8A345F09896DE5C9A73A2C735D854CB92
              Function 00E68A80 Relevance: .5, Instructions: 524COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db9a73eee3b9c7cb609687cd02b89b999a9410ff80cb5d53b9da79a8d5b89250
              • Instruction ID: 13e6c4134d3abceaf56decf3d7a7f5fe5bfa1c949e240178aff78617b8fff5d1
              • Opcode Fuzzy Hash: db9a73eee3b9c7cb609687cd02b89b999a9410ff80cb5d53b9da79a8d5b89250
              • Instruction Fuzzy Hash: F5F19A7460C380DFC704DF69E88061EFBE5EB8A345F09892DE4C9A7262D736D954CB92
              Function 00E68C02 Relevance: .5, Instructions: 487COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7a7cd1162c6129e1bf335e528aac557f677aa7ab9f8b24f51a8f472d0d58095
              • Instruction ID: 6f4d7cde467908fa7880ef25834088a77ab28027a6d605dc4c8a93ba887e1203
              • Opcode Fuzzy Hash: e7a7cd1162c6129e1bf335e528aac557f677aa7ab9f8b24f51a8f472d0d58095
              • Instruction Fuzzy Hash: 74E1DF7160C380DFC704DF29E88062AF7E5EB8A315F09896CE4C9A73A2D735D954CB92
              Function 00E2A300 Relevance: .5, Instructions: 459COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
              • Instruction ID: 2ca465a677620f935c82c9d4a26d69feebccf1a6603372fb69c1b696c0e55ed2
              • Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
              • Instruction Fuzzy Hash: 53F1BB766083418FC724CF29D88176BFBE2AFD8304F08982DE4C697751E639E945CB96
              Function 00E68E70 Relevance: .4, Instructions: 420COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 528af968c9b944a0201f7f0ccb129484d4cff74d8f4c5d0fc055d6ba137a13c9
              • Instruction ID: f6ae5bcb105b3d7863490399fd5935e04dd9b555a1ef3150957d941807922c5a
              • Opcode Fuzzy Hash: 528af968c9b944a0201f7f0ccb129484d4cff74d8f4c5d0fc055d6ba137a13c9
              • Instruction Fuzzy Hash: C2D1B27060C280DFD704DF28E89062EFBF5EB4A345F09896CE4C9A72A2D736D854CB52
              Function 00E67AB0 Relevance: .4, Instructions: 354COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cebeb09ace83702e1beacf49560ee03436d43406b38816751935026efb4e3cd6
              • Instruction ID: 9d175db805a8bdb90eda55ed9f1bda282b7ef066fa84c1946a650eae31f72e5c
              • Opcode Fuzzy Hash: cebeb09ace83702e1beacf49560ee03436d43406b38816751935026efb4e3cd6
              • Instruction Fuzzy Hash: 2AB12572A4C3504BE314DE28EC41B6BBBE5EFC9358F08592DE9D9A7381E635DC048792
              Function 00FDF9CC Relevance: .3, Instructions: 306COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca922833b01b8f663941d28bcd0da582190b19e56e491b6fb4887be818d8a4b7
              • Instruction ID: 61848dd92224ce46b0e50e9390bd23a93250f441c4242d53e79847d81ba69682
              • Opcode Fuzzy Hash: ca922833b01b8f663941d28bcd0da582190b19e56e491b6fb4887be818d8a4b7
              • Instruction Fuzzy Hash: 24B16DB7F5062547F3944839DD983A265839BE4324F2F42388F9D6B7C6E87E9D0A1384
              Function 00E2AF10 Relevance: .3, Instructions: 303COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
              • Instruction ID: ddf22000d1209c76ca9cd474fd2882303ca9dcbb8208c9173ae887562999201e
              • Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
              • Instruction Fuzzy Hash: 37C189B2A087518FC360CF28DC96BABB7E1FF85318F08492DD1D9D6242E778A155CB46
              Function 00E36536 Relevance: .3, Instructions: 295COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3805c1e3b5df971df87bba68480c17ceefc5077397fc86fd81341de003f39c4
              • Instruction ID: d86c572c5a9166bbd5f01fef3cf7ef4a4d72df69059040477d52635f0c0b3b7e
              • Opcode Fuzzy Hash: a3805c1e3b5df971df87bba68480c17ceefc5077397fc86fd81341de003f39c4
              • Instruction Fuzzy Hash: 47B111B4500B409BC325CF24D985B27BBF1EF4A704F14985CE8AAABA52E375F805CB55
              Function 00E67710 Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 37deb5b5d773f63576fe33bf2298758178d3b91b15b8b0f562daa394e42bbab6
              • Instruction ID: 6b280c50f46b2e6dc84c1dc30231851c2792f3a5a40051ac73102b68fa7e3136
              • Opcode Fuzzy Hash: 37deb5b5d773f63576fe33bf2298758178d3b91b15b8b0f562daa394e42bbab6
              • Instruction Fuzzy Hash: 0491BF71A9C301ABE724CB54E840B6FB7E5EB85398F54581DF4D8A7351E730E940CB92
              Function 00E6A0D0 Relevance: .3, Instructions: 282COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2129634955b3897bd5f6165a964370f5fa7203565f25bf86f7037560d3564f90
              • Instruction ID: edbfa5ea6f4687c1b4bcef58713e5beb88338721c5eeb1bc5261da687e85fd1a
              • Opcode Fuzzy Hash: 2129634955b3897bd5f6165a964370f5fa7203565f25bf86f7037560d3564f90
              • Instruction Fuzzy Hash: 4B81B0746893018FD724DF28E890A2EB7F5EF55784F09992CE485AB361E731EC50CB92
              Function 00E564F0 Relevance: .2, Instructions: 246COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 610cb3693c48243a2461bebcdd11f8131d6c759e0f9ca50fc304ed2bbc14ddda
              • Instruction ID: d432d6693d824ac53e2e7823a61768dc99355a81feb7ecf6dbae313bdd3b7b58
              • Opcode Fuzzy Hash: 610cb3693c48243a2461bebcdd11f8131d6c759e0f9ca50fc304ed2bbc14ddda
              • Instruction Fuzzy Hash: 66711933B69A904BC3248D3D5C413A6AA434BD6338B7DD77AECB4EB3E5D5694C0A4340
              Function 00E428E9 Relevance: .2, Instructions: 244COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62c7a86a301cb61f60d24f00b9c5f37b7a2c6597d628324eea3940ff66fad014
              • Instruction ID: 346f7e459e85ad6176b98c2e9dcec6fa448ddbbf10c08f9d4c375a03c7d4ece8
              • Opcode Fuzzy Hash: 62c7a86a301cb61f60d24f00b9c5f37b7a2c6597d628324eea3940ff66fad014
              • Instruction Fuzzy Hash: 7A61A7B04083508BD300AF19E851A2ABBF0FFA6754F48690DF5C5AB261E339D900CBA7
              Function 00E47C00 Relevance: .2, Instructions: 243COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50ee0ecc70ad7d7af3fda7cce7a2ef373a1124fc19a21afb4eff7c2727c19705
              • Instruction ID: 50f56c7aba45c5277aed795d3ddfb2509a8e97b17f1e111a80df08e3cc77232b
              • Opcode Fuzzy Hash: 50ee0ecc70ad7d7af3fda7cce7a2ef373a1124fc19a21afb4eff7c2727c19705
              • Instruction Fuzzy Hash: 5851B3B1A183049BDB209B24EC82BB773B4EF86358F146958F9C59B291F375DC01C7A2
              Function 00F69FCF Relevance: .2, Instructions: 234COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 712b943c7e0c14d195bbaaa723841ac3cb5c207ef65ee047a56e669972062263
              • Instruction ID: 86ef2b9dcec36d6d6a368d4db42a6aca9b7f4471b586e2b15ff196a3cc6999ed
              • Opcode Fuzzy Hash: 712b943c7e0c14d195bbaaa723841ac3cb5c207ef65ee047a56e669972062263
              • Instruction Fuzzy Hash: 237127F3A182049FF3086E29DC9973AB7DBEB94320F1A453DE6C5C3780ED3968058656
              Function 00F12E4C Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce328afae6082699545db0986b58b686de21ae6f78218f8744f3128b08afc207
              • Instruction ID: d01b2bd1b7a5cc4b335dfcbad64d8efa9aa0781832aaf6a5e34ef37dcfb4e7ca
              • Opcode Fuzzy Hash: ce328afae6082699545db0986b58b686de21ae6f78218f8744f3128b08afc207
              • Instruction Fuzzy Hash: 8A6127B3A08610AFE3045E2DDC4476ABBE6EFD4720F1A893EEAC4D7744E5355D058782
              Function 00E51860 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
              • Instruction ID: f9dda24eab5b82fe514dd9ee65e30fe6c8b8d54df4c720ade5e47bc72f715e5f
              • Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
              • Instruction Fuzzy Hash: B861F0316093019BD725CE2CC58032FBBE2EBC5356F64EDADF889AB252D270DC898741
              Function 00E582D0 Relevance: .2, Instructions: 215COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e7424357d9903d641b809eb9ee2866a859c4fa9fd3becda46caf519ed98ab1d
              • Instruction ID: 3935c927afd53fd16159e8a411654719cd78a4576dab90939f617496f3f1531a
              • Opcode Fuzzy Hash: 0e7424357d9903d641b809eb9ee2866a859c4fa9fd3becda46caf519ed98ab1d
              • Instruction Fuzzy Hash: 0E615723B1A9908BD318453D1D563E66A831BD2335F3ED766DCF2BB3E4DDA948094341
              Function 00E342FC Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2047c042562451a5b2204f279262476888fa22c511ad339afee22d5907e974a2
              • Instruction ID: 21880b9037f7a9f8cd15dc3aba70d3eda0f837427a614e9fea97ee1725811a91
              • Opcode Fuzzy Hash: 2047c042562451a5b2204f279262476888fa22c511ad339afee22d5907e974a2
              • Instruction Fuzzy Hash: 9981EFB4811B00AFD360EF39D94B797BEF4AB06201F504A1DE5EA96694E7306419CBE3
              Function 00E5E8A0 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
              • Instruction ID: 319a22368e338c5a37f2d7aebfbc6c02789068bc64774ba849ee8762a4a120a8
              • Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
              • Instruction Fuzzy Hash: 25517DB16083548FE314DF69D49435BBBE1BBC5318F044E2DE4E997351E379DA088B82
              Function 00F0D299 Relevance: .2, Instructions: 177COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8227eb596654b66c73392c5d238f492d04ed013853a03408db65e08213740daf
              • Instruction ID: 2352bbc56fa02e30497ad76ebce4fce818f8f9a40cdaa7cb661dd7bf2a55b985
              • Opcode Fuzzy Hash: 8227eb596654b66c73392c5d238f492d04ed013853a03408db65e08213740daf
              • Instruction Fuzzy Hash: B45137F3B483048BE308AE2CDC9577ABBD2EB94310F1A453CDAD547784E97959148687
              Function 00E67520 Relevance: .2, Instructions: 176COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0b9615fd6c41242b10555af590857926c788bf1537de5f6cf8d6e1b5dd8b002
              • Instruction ID: d628fb13c76c311432666340c6c992c06c3f65850eb6d7b2834e0e9d51929f3a
              • Opcode Fuzzy Hash: a0b9615fd6c41242b10555af590857926c788bf1537de5f6cf8d6e1b5dd8b002
              • Instruction Fuzzy Hash: A351197164C2009FC714DE19EC90B2EB7E6EB8539DF289A2CE8E977391D631EC148751
              Function 00E25A50 Relevance: .2, Instructions: 163COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d6dd73c1f5a4cff4d4df427fecde821aa01af236cf6bc2e48c3de10492d4970
              • Instruction ID: 07b906dc753d49c8c2434a01e6813459eea3bb55d96ce6c8712d737c87f7ddbe
              • Opcode Fuzzy Hash: 1d6dd73c1f5a4cff4d4df427fecde821aa01af236cf6bc2e48c3de10492d4970
              • Instruction Fuzzy Hash: AF51E7B69047249FC714DF14E88192AB7E1FF89328F15566CF896AB352D730EC41CB91
              Function 00EE0C9C Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b24daf302826e37a85b899793a04eb10e7f2f8c72e126a6c8bf853399783ed6c
              • Instruction ID: 607e05f4b74aeeda616acacdcd38d0725bd1bdf4c647071479e28c389ec59b73
              • Opcode Fuzzy Hash: b24daf302826e37a85b899793a04eb10e7f2f8c72e126a6c8bf853399783ed6c
              • Instruction Fuzzy Hash: 8741E3F3A082045BE314AE2DEC85A7BBBD9EF90320F0A853DE5C497344E935AC118693
              Function 00F9FC71 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba9b0cf765c8c63c717cfb07bbb6929515a73bdcc5d0e8f55e1d7d3e2f532b60
              • Instruction ID: 1602d270cc9b12b36d4acad2494e09b0495475730f54e7eaf30f19bc378f7d55
              • Opcode Fuzzy Hash: ba9b0cf765c8c63c717cfb07bbb6929515a73bdcc5d0e8f55e1d7d3e2f532b60
              • Instruction Fuzzy Hash: A54159F7D0921497E3046E2ADC0577ABAEA9BD0720F3B453DE9D897784E939480686C3
              Function 00E4EC48 Relevance: .1, Instructions: 146COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 117ebfca853d8ae3a0a81a4fdbbb86b63f47d45193310f501bd6618514a0c633
              • Instruction ID: 1e79266cda54d99db0dfab9521a0be83817dff0452e176b9fcf3b7a4668631b8
              • Opcode Fuzzy Hash: 117ebfca853d8ae3a0a81a4fdbbb86b63f47d45193310f501bd6618514a0c633
              • Instruction Fuzzy Hash: 51418C74900325DBDF20CFA4E891BA9B7B0FF4A344F145548E945BB3A1EB38A951CB91
              Function 00E69B60 Relevance: .1, Instructions: 140COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c94af7d9ef35248eb3ae957b5b4496c9307a04d1a47e82c63f9cd087a4181639
              • Instruction ID: 854eaaf0c9208f6629d28ec56aef2895cf0d6f18f8f75b5d43e64ed54632508a
              • Opcode Fuzzy Hash: c94af7d9ef35248eb3ae957b5b4496c9307a04d1a47e82c63f9cd087a4181639
              • Instruction Fuzzy Hash: 5441A134688300AFD714DB15E990B2AF7FAEB85794F14982CF589A7252D371E840CB66
              Function 00ED9E40 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75a1ea8b358b08b1bf2ca3d539d8592acc7ba873fdcd8238c3358a8ac8102151
              • Instruction ID: b532814c118cb1c172b7530d09684ff9c768106b2c91510c02d1053e43487e54
              • Opcode Fuzzy Hash: 75a1ea8b358b08b1bf2ca3d539d8592acc7ba873fdcd8238c3358a8ac8102151
              • Instruction Fuzzy Hash: 124127F3E086144BF314AA2DDC8277AB6D5DB84720F0A853DDA88D7744E8399C058387
              Function 00E32030 Relevance: .1, Instructions: 136COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 43eeceee111fd5df9901e2ba2981940d1e1d24af5a236352fef0c3d50a5b945d
              • Instruction ID: b82f9f33d0ecf02201c13a5c9c6049e3ba71c1ecc224848bbec5c23c128b5c6a
              • Opcode Fuzzy Hash: 43eeceee111fd5df9901e2ba2981940d1e1d24af5a236352fef0c3d50a5b945d
              • Instruction Fuzzy Hash: A4410832A083654FD35CCE6984A423ABFE2AFC4300F19862EE5D6973D0DAB58945DB81
              Function 00E31E93 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a95ce4710e2258449f86c8830af6927277ebb65a2eaab9445f92ac8bc130bd66
              • Instruction ID: 9f433f777545e9bf59e3f42f06105f93a7062a945f435319d6e985a3ec82adcc
              • Opcode Fuzzy Hash: a95ce4710e2258449f86c8830af6927277ebb65a2eaab9445f92ac8bc130bd66
              • Instruction Fuzzy Hash: C241D1746083809BD320AB59D888B1EFBF5FB86745F14591CF6C4A7292C376E814CF66
              Function 00E68D8A Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cefa6384ccdd2a40bb4aae9d9207d73c200092281062301fe638237860aa016c
              • Instruction ID: ffe7e35b56bd369cc6afd6d1fdfa4791cd4565106653eae05f38fe8363f17ac7
              • Opcode Fuzzy Hash: cefa6384ccdd2a40bb4aae9d9207d73c200092281062301fe638237860aa016c
              • Instruction Fuzzy Hash: 4541EF3164D2508FC304DF68D59052EFBEAAF99344F099A2DD4D5E72A1CB74DD018B92
              Function 00E3D961 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51baba51c362e700fdd418e965cdc40c9256fe79dfa8f0dff2635b6bdf918c25
              • Instruction ID: e5f6cc19b1cdae1851f978afa70751fd12fd3ea3c40778e94c7d7c33685501b3
              • Opcode Fuzzy Hash: 51baba51c362e700fdd418e965cdc40c9256fe79dfa8f0dff2635b6bdf918c25
              • Instruction Fuzzy Hash: 1341ABB1548391CBD330DF10D845BAFBBB0FF96364F041958E49AAB651E7744840CB93
              Function 00E5F030 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
              • Instruction ID: 536ab6d023dd15ddeed2139447f70153e5852d234d080a0036ceef888b4386b0
              • Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
              • Instruction Fuzzy Hash: 19210A3290811447C3249B59C48153BF7E4EB99709F0ADA3EDDC4A7295E335DC1487D1
              Function 00E667EF Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9dace4fb89a0a2e40a882777af00b0760a3faad0626758668180d0cf4af620f
              • Instruction ID: 47982a037a78719fb2d02176b8a765344a0eccbb40138438c7f38960a73c0247
              • Opcode Fuzzy Hash: a9dace4fb89a0a2e40a882777af00b0760a3faad0626758668180d0cf4af620f
              • Instruction Fuzzy Hash: 2A3134705683829AD714CF14D49062FBBF0EF96398F50680CF4C8AB261D338D985CB9A
              Function 00E45E70 Relevance: .1, Instructions: 99COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64b1af0d61d633772485ac67cfc15e6d01429cfe6fc580f36598e5831848c34b
              • Instruction ID: e183367360e45117087406e39155b8b179e7bdca90db062e41fae9fe98dd5928
              • Opcode Fuzzy Hash: 64b1af0d61d633772485ac67cfc15e6d01429cfe6fc580f36598e5831848c34b
              • Instruction Fuzzy Hash: FE21A172508201DBC310AF18D84192BB7F4EF92768F549908F4D9AB292E334D904CBA3
              Function 00E249A0 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
              • Instruction ID: 5737bfc1fd897276e9a501572210f92309bd8ec080e47cd978f1cfc32c85a9aa
              • Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
              • Instruction Fuzzy Hash: C631EFF16482219BD711DF18F88166BB7E1EFC435CF18A92DE499A7281E235DC42CB45
              Function 00E664B8 Relevance: .1, Instructions: 83COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d81e12a97c8e7efb49277e3cdcd45e3102dfdbf66b1746a0c6001877950b9077
              • Instruction ID: 5f8a858fd918489c074c599d8cf490b994ee2816d7011d4dc0801d2901f5ca18
              • Opcode Fuzzy Hash: d81e12a97c8e7efb49277e3cdcd45e3102dfdbf66b1746a0c6001877950b9077
              • Instruction Fuzzy Hash: 4C214A7055C2409FC708EF1AE580A2EFBF6FB95785F18981CE4D9A3361C735A854CB62
              Function 00E5B650 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
              • Instruction ID: 0bebd7fbb6da5a7c2cfb489fedbbea86af78dd67f2c63ceea2b11e3d7e6e0a38
              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
              • Instruction Fuzzy Hash: 7A110C33A051D44EC3168D3C84405A5BFE31AE3236F5D5799F8B4AB2D2D7638D8E8355
              Function 00E50B80 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
              • Instruction ID: ba96e0103f9c751a976c9febb6f137f2d77b5845856baac62b951cb59ed03187
              • Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
              • Instruction Fuzzy Hash: 16014CF5A0030247E6609E54E4D1B3BB3E86F8571DF18692CFD0667202DB75EC098691
              Function 00E4D1E1 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df428ae7a3cc5aa764e57bd446d27af546516fa7f811075c65b4ccdca0ee0431
              • Instruction ID: a8d13dfbcf3404701dd40e0616640aab08c6a95f062c59e6b99bf2e59a32027c
              • Opcode Fuzzy Hash: df428ae7a3cc5aa764e57bd446d27af546516fa7f811075c65b4ccdca0ee0431
              • Instruction Fuzzy Hash: 6111DDB0408380AFD3109F619484A1FFBE5EBA6754F149C0DF5A4AB251C375D819CB56
              Function 00E26EA0 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a22347e4e5b37a994d1a0c90e0f633eea6b019224deffaa5cd65b84988fe388c
              • Instruction ID: f339c8c3ce50aec38811e0c1ab0a4e697947a191b534e4baa3b3133db64d9ef7
              • Opcode Fuzzy Hash: a22347e4e5b37a994d1a0c90e0f633eea6b019224deffaa5cd65b84988fe388c
              • Instruction Fuzzy Hash: 8AF0BB3B7192190FBA10CDABB884837F396D7D5359B156638EA41E3205DDB1E8055190
              Function 00E5B8C0 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
              • Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
              • Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
              • Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695
              Function 00E3C5F0 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
              • Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
              • Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
              • Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696
              Function 00E3B410 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
              • Instruction ID: 2c34616b0652a4a914b86fbf3b1c951be24830f09f262dba92c2a71f32df8450
              • Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
              • Instruction Fuzzy Hash: DFF0ECB1A0451057DF228A549CC4F37BFACCB87358F192427EA8667103E2615845C3E9
              Function 00E58220 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4693eba7ff4d0755766c6c865171e1d6d2f7235bb96b9cad6dc7b65b3471bdd
              • Instruction ID: 5cce702d2319ee67540d0fae6b141dc42491c2c69b69e5f1761fd1c198e52fb1
              • Opcode Fuzzy Hash: d4693eba7ff4d0755766c6c865171e1d6d2f7235bb96b9cad6dc7b65b3471bdd
              • Instruction Fuzzy Hash: 1E01E4B04147009FC360EF29C846757BBE8EB48754F504A1DE8EECB680D770A548CB82
              Function 00E61440 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
              • Instruction ID: 594f6ac625337d09e12924b151ecfcd3341fbbc3d2efdec1c7c99d0ae01359c6
              • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
              • Instruction Fuzzy Hash: E8D09731648321469F348E19B400977F3F0EAC3B85F4CA09EF592F3148D630DC00C2A8
              Function 00E31ACD Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d170a52376705a27da45328311ae92464e919be0580f44e8ca6cc90ee50513c
              • Instruction ID: c0c4458dc2b51bb4801268bd78500deed4c54a56cbb7702da897c91c7421582c
              • Opcode Fuzzy Hash: 2d170a52376705a27da45328311ae92464e919be0580f44e8ca6cc90ee50513c
              • Instruction Fuzzy Hash: A1C01234A180008F8204CF02BC99432B6B8A70A249B00702ADA22F3A61DEA0C80A9909
              Function 00E66094 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a0e2773eaf984095b82287758d4e9c97d9f73075cf43dcb52a5f7312834a35a
              • Instruction ID: 4d43504e03e526f914f10ae99bea4d66c51a52a6e55aee8d04dceee876f812a9
              • Opcode Fuzzy Hash: 8a0e2773eaf984095b82287758d4e9c97d9f73075cf43dcb52a5f7312834a35a
              • Instruction Fuzzy Hash: ECC09B3475C0008BD14CCF15E951475F3769B97754B24B11DC84A33255C134D957A51C
              Function 00E31A3C Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 35f50cf83778eb45a2489d0183706e57dd1ba15675c98989371c570fc8e21aa0
              • Instruction ID: 1df0c408299c1b6d2a5fef586f7635f74210f5af75c7d39f4fe0be650400677b
              • Opcode Fuzzy Hash: 35f50cf83778eb45a2489d0183706e57dd1ba15675c98989371c570fc8e21aa0
              • Instruction Fuzzy Hash: 73C04C35A590408E86448E87B895472B6A99716249B10303AD612F7661C9A0D4098509
              Function 00E65FD6 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2198979990.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true
              • Associated: 00000000.00000002.2198968133.0000000000E20000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000000E80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001005000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199013235.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199374197.0000000001124000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199494774.00000000012BA000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2199517637.00000000012BB000.00000080.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e20000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce7e6820fc275293dff36f8d1b5965b9d0ff773b3e6c26157ff99cec841e031a
              • Instruction ID: 4b50989163e4dbd87de72043604439280cbd406de170acf8a73060f0d1005294
              • Opcode Fuzzy Hash: ce7e6820fc275293dff36f8d1b5965b9d0ff773b3e6c26157ff99cec841e031a
              • Instruction Fuzzy Hash: 43C09224B680008FE28CCF2ADD51935F2BA9B8BA18B14B02DC84AB3256D134D95B960C