Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1526761
MD5:	42a232e57060ade55ead882db1c16979
SHA1:	6d5867e90a1f2786c8948ed5a8e4cc0eb00ff44c
SHA256:	b0c92d0e3de2c7c17cdcd1baf9fb4c976ea11518d7baf191c6fc0677e4e5dd3a
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 4784 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 42A232E57060ADE55EAD882DB1C16979)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["clearancek.site", "studennotediw.stor", "spirittunek.stor", "eaglepawnoy.stor", "mobbipenju.stor", "bathdoomgaz.stor", "dissapoiznw.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:59.016935+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49712	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:59.016935+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49712	172.67.206.204	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.601235+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.6	64690	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.526607+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.6	57211	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.571459+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.6	58508	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.555361+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.6	59831	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.624919+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.6	60521	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.539630+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.6	59611	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.612686+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.6	57500	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T15:42:56.586685+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.6	61398	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.4784.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "studennotediw.stor", "spirittunek.stor", "eaglepawnoy.stor", "mobbipenju.stor", "bathdoomgaz.stor", "dissapoiznw.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008750FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0083D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0083D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008763B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00875700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_008799D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_0087695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0083FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00840EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00876094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00831000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00846F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0086F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00874040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0085D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_008442FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00852260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00852260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_008623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_008623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0083A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008764B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0085E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0084B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00871440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0084D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0085C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00838590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00859510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00877520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00846536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0086B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0085E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0085D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_008767EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00877710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_008528E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_008349A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00873920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0084D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00841ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00841A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00874A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00835A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00860B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00843BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00841BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00879B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0084DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0084DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0085AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0085AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0085CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0085CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0085CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00879CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00879CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00857C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0086FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0085EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00878D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0085FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0085DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00841E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00836EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0083BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00846EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00844E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0085AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00857E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00855E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00846F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00877FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00877FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00875FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00838FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0084FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00859F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0086FF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:57500 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:58508 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:59611 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:64690 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:61398 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:57211 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:59831 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:60521 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49712 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: licendfilteo.site

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=637a60dbd0a430637a7ac2fe; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 06 Oct 2024 13:42:57 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180357030.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180357030.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2180089779.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site/
Source: file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dissapoiznw.store/
Source: file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store/
Source: file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2167205745.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/U
Source: file.exe, 00000000.00000002.2180089779.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/u
Source: file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158681082.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158681082.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900Q
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2158729439.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2158729439.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180357030.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.6:49712 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00840228	0_2_00840228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087A0D0	0_2_0087A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1	0_2_00A010C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A060DF	0_2_00A060DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FC01C	0_2_009FC01C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00831000	0_2_00831000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00842030	0_2_00842030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00874040	0_2_00874040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083E1A0	0_2_0083E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008371F0	0_2_008371F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00835160	0_2_00835160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008682D0	0_2_008682D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008612D0	0_2_008612D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008312F7	0_2_008312F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008313A3	0_2_008313A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083B3A0	0_2_0083B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008623E0	0_2_008623E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083A300	0_2_0083A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00844487	0_2_00844487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084049B	0_2_0084049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008664F0	0_2_008664F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B944F	0_2_008B944F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085C470	0_2_0085C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00838590	0_2_00838590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008335B0	0_2_008335B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A095D1	0_2_00A095D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084C5F0	0_2_0084C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A045D6	0_2_00A045D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FA509	0_2_009FA509
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008786F0	0_2_008786F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086F620	0_2_0086F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BA62F	0_2_009BA62F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083164F	0_2_0083164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878652	0_2_00878652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEA673	0_2_00AEA673
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086E8A0	0_2_0086E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086B8C0	0_2_0086B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F88C6	0_2_009F88C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083A850	0_2_0083A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00861860	0_2_00861860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085098B	0_2_0085098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008789A0	0_2_008789A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00922935	0_2_00922935
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878A80	0_2_00878A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00877AB0	0_2_00877AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FDAD2	0_2_009FDAD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00962AE5	0_2_00962AE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00874A40	0_2_00874A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FBA61	0_2_008FBA61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A02B8F	0_2_00A02B8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00837BF0	0_2_00837BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A07B49	0_2_00A07B49
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084DB6F	0_2_0084DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00876CBF	0_2_00876CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085CCD0	0_2_0085CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878C02	0_2_00878C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F7DB5	0_2_008F7DB5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085FD10	0_2_0085FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085DD29	0_2_0085DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F6D57	0_2_009F6D57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00858D62	0_2_00858D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083BEB0	0_2_0083BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00846EBF	0_2_00846EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00844E2A	0_2_00844E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085AE57	0_2_0085AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FFE45	0_2_009FFE45
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878E70	0_2_00878E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00877FC0	0_2_00877FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00838FD0	0_2_00838FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083AF10	0_2_0083AF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0084D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0083CAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994263098184818
Source: file.exe	Static PE information: Section: rncouxpj ZLIB complexity 0.9934927418132201

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00868220 CoCreateInstance,

0_2_00868220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1859072 > 1048576

Source: file.exe

Static PE information: Raw size of rncouxpj is bigger than: 0x100000 < 0x19c400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.830000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rncouxpj:EW;znrgkcxy:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rncouxpj:EW;znrgkcxy:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1c7f0f should be: 0x1c6aab

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: rncouxpj
Source: file.exe	Static PE information: section name: znrgkcxy
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB60A8 push edi; mov dword ptr [esp], edx	0_2_00AB60DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push 78E70E6Fh; mov dword ptr [esp], ebp	0_2_00A010FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push esi; mov dword ptr [esp], ebp	0_2_00A01162
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push edx; mov dword ptr [esp], ebx	0_2_00A011FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push edx; mov dword ptr [esp], 6FFE8978h	0_2_00A01298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push edx; mov dword ptr [esp], ecx	0_2_00A012B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push edx; mov dword ptr [esp], ecx	0_2_00A012C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push 14B49D93h; mov dword ptr [esp], edi	0_2_00A012D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push ebx; mov dword ptr [esp], 777B1EBAh	0_2_00A0133E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push esi; mov dword ptr [esp], edx	0_2_00A01401
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push 7C5F0033h; mov dword ptr [esp], ebp	0_2_00A0149C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push edi; mov dword ptr [esp], ebp	0_2_00A014F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push edi; mov dword ptr [esp], ecx	0_2_00A01535
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push esi; mov dword ptr [esp], 00000004h	0_2_00A01539
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push esi; mov dword ptr [esp], ebp	0_2_00A015E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push 552040CFh; mov dword ptr [esp], esi	0_2_00A01635
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push eax; mov dword ptr [esp], edi	0_2_00A01653
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push ebp; mov dword ptr [esp], eax	0_2_00A01657
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push eax; mov dword ptr [esp], ebp	0_2_00A0165E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push ebp; mov dword ptr [esp], edx	0_2_00A01748
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push 65FCA980h; mov dword ptr [esp], ecx	0_2_00A017A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push ebx; mov dword ptr [esp], edi	0_2_00A017FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push 60213254h; mov dword ptr [esp], esi	0_2_00A0186E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push 3E9BC894h; mov dword ptr [esp], edx	0_2_00A018DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push esi; mov dword ptr [esp], 2C0BF400h	0_2_00A0198F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push edx; mov dword ptr [esp], ecx	0_2_00A019A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push ecx; mov dword ptr [esp], 0DDB663Fh	0_2_00A01A07
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push ebx; mov dword ptr [esp], 5067FDD5h	0_2_00A01A98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push esi; mov dword ptr [esp], edx	0_2_00A01ABD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push esi; mov dword ptr [esp], eax	0_2_00A01AC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010C1 push ebp; mov dword ptr [esp], 3141171Dh	0_2_00A01B58

Source: file.exe	Static PE information: section name: entropy: 7.975621089562242
Source: file.exe	Static PE information: section name: rncouxpj entropy: 7.95477000812694

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8944D1 second address: 8944DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F286D1EB856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8944DB second address: 893C07 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F286CDEE626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007F286CDEE639h 0x00000014 mov dword ptr [ebp+122D3386h], edx 0x0000001a push dword ptr [ebp+122D16ADh] 0x00000020 jmp 00007F286CDEE62Ch 0x00000025 jmp 00007F286CDEE639h 0x0000002a call dword ptr [ebp+122D1BC1h] 0x00000030 pushad 0x00000031 jns 00007F286CDEE62Eh 0x00000037 xor eax, eax 0x00000039 clc 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e pushad 0x0000003f add dword ptr [ebp+122D3922h], edi 0x00000045 mov eax, dword ptr [ebp+122D2D7Dh] 0x0000004b popad 0x0000004c mov dword ptr [ebp+122D389Fh], ebx 0x00000052 mov dword ptr [ebp+122D2BB1h], eax 0x00000058 jmp 00007F286CDEE638h 0x0000005d mov esi, 0000003Ch 0x00000062 jc 00007F286CDEE62Ch 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c or dword ptr [ebp+122D3922h], ecx 0x00000072 add dword ptr [ebp+122D389Fh], esi 0x00000078 lodsw 0x0000007a pushad 0x0000007b mov dword ptr [ebp+122D389Fh], ebx 0x00000081 popad 0x00000082 pushad 0x00000083 mov edi, dword ptr [ebp+122D2C89h] 0x00000089 mov ebx, dword ptr [ebp+122D2C91h] 0x0000008f popad 0x00000090 add eax, dword ptr [esp+24h] 0x00000094 jmp 00007F286CDEE62Bh 0x00000099 mov ebx, dword ptr [esp+24h] 0x0000009d sub dword ptr [ebp+122D3922h], edi 0x000000a3 nop 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 pushad 0x000000a7 push eax 0x000000a8 push edx 0x000000a9 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893C07 second address: 893C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB860h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 893C1C second address: 893C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10D9F second address: A10DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10DA5 second address: A10DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10DA9 second address: A10DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10DAD second address: A10DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FD7F second address: A0FD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FD83 second address: A0FDB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE637h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F286CDEE62Eh 0x0000000f pushad 0x00000010 popad 0x00000011 jne 00007F286CDEE626h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FDB6 second address: A0FDBF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FDBF second address: A0FDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnc 00007F286CDEE626h 0x00000011 ja 00007F286CDEE626h 0x00000017 jnp 00007F286CDEE626h 0x0000001d jmp 00007F286CDEE633h 0x00000022 popad 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10353 second address: A10357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10357 second address: A1035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1035B second address: A10365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10365 second address: A10369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10369 second address: A1037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 je 00007F286D1EB858h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11F6C second address: A11F81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F286CDEE630h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11F81 second address: A11FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ecx 0x00000010 jmp 00007F286D1EB85Fh 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e push esi 0x0000001f pop esi 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11FAC second address: A11FCD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007F286CDEE62Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F286CDEE626h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11FCD second address: A11FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F286D1EB862h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12073 second address: A12107 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F286CDEE626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007F286CDEE638h 0x00000010 add dword ptr [ebp+122D1BE6h], ecx 0x00000016 pop ecx 0x00000017 push 00000000h 0x00000019 add dword ptr [ebp+122D3B0Dh], ecx 0x0000001f call 00007F286CDEE629h 0x00000024 push esi 0x00000025 jnp 00007F286CDEE628h 0x0000002b pushad 0x0000002c popad 0x0000002d pop esi 0x0000002e push eax 0x0000002f pushad 0x00000030 jmp 00007F286CDEE634h 0x00000035 ja 00007F286CDEE631h 0x0000003b popad 0x0000003c mov eax, dword ptr [esp+04h] 0x00000040 jnp 00007F286CDEE632h 0x00000046 jmp 00007F286CDEE62Ch 0x0000004b mov eax, dword ptr [eax] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F286CDEE62Dh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12107 second address: A12197 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F286D1EB856h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jbe 00007F286D1EB862h 0x00000016 jc 00007F286D1EB85Ch 0x0000001c jc 00007F286D1EB856h 0x00000022 pop eax 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F286D1EB858h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d mov ecx, dword ptr [ebp+122D2BA5h] 0x00000043 mov esi, 31AA0ADDh 0x00000048 push 00000003h 0x0000004a mov esi, dword ptr [ebp+122D2AADh] 0x00000050 push 00000000h 0x00000052 mov edi, dword ptr [ebp+122D2C41h] 0x00000058 push 00000003h 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007F286D1EB858h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 00000018h 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 call 00007F286D1EB859h 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c push ecx 0x0000007d pop ecx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12197 second address: A1219B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1219B second address: A121AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A121AB second address: A121B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A121B0 second address: A121B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A121B6 second address: A121D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F286CDEE62Ch 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A121D4 second address: A121D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12282 second address: A122B3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F286CDEE626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b stc 0x0000000c push 00000000h 0x0000000e call 00007F286CDEE629h 0x00000013 jmp 00007F286CDEE631h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A122B3 second address: A122B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A122B9 second address: A122BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A122BD second address: A122C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A122C1 second address: A122EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c js 00007F286CDEE62Eh 0x00000012 push ecx 0x00000013 jc 00007F286CDEE626h 0x00000019 pop ecx 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007F286CDEE62Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09185 second address: A09189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A31894 second address: A31898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A31898 second address: A318B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F286D1EB85Eh 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A31E7F second address: A31E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F286CDEE626h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A31E89 second address: A31EA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB864h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A31EA6 second address: A31EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32743 second address: A32774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F286D1EB869h 0x0000000b jmp 00007F286D1EB85Ch 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32774 second address: A3277C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28A89 second address: A28A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28A8D second address: A28A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9FC6 second address: 9FA00F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB866h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F286D1EB865h 0x0000000e popad 0x0000000f push edx 0x00000010 push edi 0x00000011 jmp 00007F286D1EB85Eh 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA00F second address: 9FA013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA013 second address: 9FA019 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A329FF second address: A32A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32A03 second address: A32A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32A0E second address: A32A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32A13 second address: A32A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB862h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32A2C second address: A32A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b jmp 00007F286CDEE62Bh 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3305D second address: A33061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33061 second address: A3306B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3306B second address: A33075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F286D1EB856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33075 second address: A33096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F286CDEE637h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33096 second address: A330B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB868h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33244 second address: A3325A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F286CDEE62Ch 0x0000000b push ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A39989 second address: A3998D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3998D second address: A39997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBB9E second address: 9FBBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F68A5 second address: 9F68B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F286CDEE628h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F286CDEE626h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F68B9 second address: 9F68BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3F9B7 second address: A3F9D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F286CDEE638h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3F9D5 second address: A3F9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F4D62 second address: 9F4D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4419B second address: A441B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB860h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4424D second address: A44262 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F286CDEE62Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A44262 second address: A44299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F286D1EB856h 0x0000000a popad 0x0000000b pop edx 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F286D1EB85Fh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jc 00007F286D1EB85Ch 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a pushad 0x0000002b popad 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A44615 second address: A4463C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE637h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F286CDEE628h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A449B0 second address: A449D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB866h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A44EB5 second address: A44EF1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F286CDEE626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F286CDEE628h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 jmp 00007F286CDEE62Dh 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push edx 0x00000031 pop edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A44EF1 second address: A44EF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A44EF7 second address: A44F0C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F286CDEE62Ch 0x00000008 jbe 00007F286CDEE626h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4523C second address: A45246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F286D1EB856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4530A second address: A4530E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4530E second address: A45312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45312 second address: A45318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45470 second address: A454A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007F286D1EB856h 0x00000013 jmp 00007F286D1EB867h 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d jo 00007F286D1EB85Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A454A7 second address: A454BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F286CDEE628h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A454BB second address: A454C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A454C1 second address: A454C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A454C7 second address: A454CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45873 second address: A45877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A45877 second address: A4587D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4587D second address: A458C3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F286CDEE62Ch 0x00000008 jl 00007F286CDEE626h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 add edi, 0DE8292Ah 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D38C1h], eax 0x00000021 xchg eax, ebx 0x00000022 jmp 00007F286CDEE634h 0x00000027 push eax 0x00000028 pushad 0x00000029 jmp 00007F286CDEE62Ah 0x0000002e push eax 0x0000002f push edx 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A490A2 second address: A490AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F286D1EB85Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A49DDD second address: A49E8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F286CDEE638h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jng 00007F286CDEE62Ah 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 nop 0x00000019 jns 00007F286CDEE62Ch 0x0000001f sub dword ptr [ebp+122D23B2h], edx 0x00000025 call 00007F286CDEE62Fh 0x0000002a mov edi, 61E57332h 0x0000002f pop esi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F286CDEE628h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c jmp 00007F286CDEE637h 0x00000051 push 00000000h 0x00000053 push edi 0x00000054 clc 0x00000055 pop edi 0x00000056 xchg eax, ebx 0x00000057 jnl 00007F286CDEE62Ah 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F286CDEE635h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4B3A7 second address: A4B3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BDF9 second address: A4BDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C6F7 second address: A4C719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB85Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F286D1EB85Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4E494 second address: A4E49F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F286CDEE626h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C719 second address: A4C71F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C71F second address: A4C723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A508AA second address: A508BB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F286D1EB856h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5271C second address: A527B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a jmp 00007F286CDEE637h 0x0000000f pop esi 0x00000010 nop 0x00000011 jc 00007F286CDEE62Ch 0x00000017 mov dword ptr [ebp+122D36F4h], eax 0x0000001d sbb edi, 64C1F413h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007F286CDEE628h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f add di, 6580h 0x00000044 push 00000000h 0x00000046 or dword ptr [ebp+122D3479h], edi 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e push ecx 0x0000004f jmp 00007F286CDEE634h 0x00000054 pop ecx 0x00000055 jmp 00007F286CDEE62Bh 0x0000005a popad 0x0000005b push eax 0x0000005c jo 00007F286CDEE62Eh 0x00000062 push ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51A43 second address: A51A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A50AF3 second address: A50AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51A49 second address: A51A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A53770 second address: A53774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A50AF8 second address: A50B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB85Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F286D1EB856h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52988 second address: A5298D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51A4E second address: A51ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F286D1EB864h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D3472h], ebx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b or ebx, 2DB21100h 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 pushad 0x00000029 mov dx, 5C99h 0x0000002d pushad 0x0000002e mov eax, dword ptr [ebp+122D3716h] 0x00000034 mov eax, dword ptr [ebp+122D2C81h] 0x0000003a popad 0x0000003b popad 0x0000003c mov eax, dword ptr [ebp+122D1711h] 0x00000042 push ebx 0x00000043 mov edi, dword ptr [ebp+1247B4D8h] 0x00000049 pop edi 0x0000004a push FFFFFFFFh 0x0000004c xor ebx, 7659E533h 0x00000052 mov dword ptr [ebp+122D1BEDh], ecx 0x00000058 nop 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A53774 second address: A537E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D2DD1h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F286CDEE628h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c jns 00007F286CDEE62Ch 0x00000032 jbe 00007F286CDEE62Bh 0x00000038 mov edi, 460BB998h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F286CDEE628h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000014h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 or dword ptr [ebp+122D3396h], eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 js 00007F286CDEE626h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A50B16 second address: A50B1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51ABB second address: A51AEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE630h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F286CDEE628h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 pushad 0x00000015 jmp 00007F286CDEE62Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A50B1C second address: A50B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F286D1EB856h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54765 second address: A5476C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55865 second address: A55877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB85Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55877 second address: A55881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F286CDEE626h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55881 second address: A55885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55885 second address: A55897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007F286CDEE62Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55897 second address: A5589F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5589F second address: A558A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A549FA second address: A54A11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F286D1EB85Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54A11 second address: A54A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54A17 second address: A54A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F286D1EB856h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54A24 second address: A54A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A58BC2 second address: A58BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A58BC6 second address: A58BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59C6D second address: A59C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C3C4 second address: A5C3D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F286CDEE62Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D410 second address: A5D416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57B60 second address: A57B65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57C6A second address: A57C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57C6E second address: A57C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE633h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57C85 second address: A57C8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A58E5B second address: A58E61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C567 second address: A5C624 instructions: 0x00000000 rdtsc 0x00000002 js 00007F286D1EB86Fh 0x00000008 jmp 00007F286D1EB869h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007F286D1EB873h 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D26BDh], ecx 0x0000001d push dword ptr fs:[00000000h] 0x00000024 mov dword ptr [ebp+122D1B29h], ebx 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F286D1EB858h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000015h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov eax, dword ptr [ebp+122D12B5h] 0x00000051 push 00000000h 0x00000053 push edx 0x00000054 call 00007F286D1EB858h 0x00000059 pop edx 0x0000005a mov dword ptr [esp+04h], edx 0x0000005e add dword ptr [esp+04h], 00000017h 0x00000066 inc edx 0x00000067 push edx 0x00000068 ret 0x00000069 pop edx 0x0000006a ret 0x0000006b jnl 00007F286D1EB85Ch 0x00000071 push FFFFFFFFh 0x00000073 and ebx, dword ptr [ebp+122D38EBh] 0x00000079 nop 0x0000007a push edx 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C624 second address: A5C62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C62A second address: A5C646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 js 00007F286D1EB86Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F286D1EB85Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C646 second address: A5C64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5E7A7 second address: A5E7B1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F286D1EB85Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A621D6 second address: A621DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67E1F second address: A67E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB862h 0x00000009 jmp 00007F286D1EB85Bh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67E47 second address: A67E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67592 second address: A675A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB85Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A675A3 second address: A675A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A675A7 second address: A675B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F286D1EB858h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67884 second address: A67889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67889 second address: A678B5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F286D1EB86Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F286D1EB85Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D909 second address: A6D90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D90E second address: A6D913 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D913 second address: A6D928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e je 00007F286CDEE626h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D928 second address: A6D940 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F286D1EB863h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D940 second address: A6D958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007F286CDEE62Bh 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6DA1C second address: A6DA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F286D1EB85Eh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71F85 second address: A71F98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE62Dh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7210D second address: A7211B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F286D1EB856h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7228E second address: A722E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F286CDEE636h 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d pushad 0x0000000e jmp 00007F286CDEE637h 0x00000013 jg 00007F286CDEE626h 0x00000019 jmp 00007F286CDEE62Ch 0x0000001e ja 00007F286CDEE626h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A722E1 second address: A722E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A722E5 second address: A722E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A722E9 second address: A722EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7271F second address: A72726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72726 second address: A7272C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7272C second address: A72732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72BBB second address: A72BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72BBF second address: A72BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F286CDEE637h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72BE1 second address: A72BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72BE7 second address: A72BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72BEC second address: A72C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F286D1EB85Eh 0x0000000a jmp 00007F286D1EB85Bh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F286D1EB85Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7727A second address: A77282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77282 second address: A772B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB869h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F286D1EB862h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A772B4 second address: A772BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77425 second address: A77429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77991 second address: A77995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77995 second address: A7799B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76EDE second address: A76F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286CDEE633h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F286CDEE633h 0x00000010 push eax 0x00000011 pop eax 0x00000012 jbe 00007F286CDEE626h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77CB3 second address: A77CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB862h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jl 00007F286D1EB856h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77E26 second address: A77E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F286CDEE626h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7DE79 second address: A7DE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F286D1EB856h 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7DE87 second address: A7DEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F286CDEE626h 0x0000000a pop edx 0x0000000b popad 0x0000000c jc 00007F286CDEE643h 0x00000012 jmp 00007F286CDEE62Dh 0x00000017 pushad 0x00000018 jno 00007F286CDEE626h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C8BD second address: A7C8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CB6B second address: A7CB6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CB6F second address: A7CBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push esi 0x0000000b jno 00007F286D1EB856h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007F286D1EB85Fh 0x0000001a pop eax 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f jnl 00007F286D1EB856h 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CD10 second address: A7CD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CE60 second address: A7CE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CE64 second address: A7CE68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CE68 second address: A7CE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CE73 second address: A7CEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286CDEE635h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007F286CDEE631h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jbe 00007F286CDEE626h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CEB0 second address: A7CECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB868h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CECD second address: A7CED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F286CDEE626h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D476 second address: A7D47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D47B second address: A7D480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D480 second address: A7D488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D75B second address: A7D764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D764 second address: A7D768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29637 second address: A2964F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F286CDEE62Bh 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jnp 00007F286CDEE626h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00C38 second address: A00C3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00C3D second address: A00C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286CDEE632h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C5BE second address: A7C5C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C5C2 second address: A7C5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C5C8 second address: A7C5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F286D1EB85Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C5DF second address: A7C5F6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F286CDEE626h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jc 00007F286CDEE634h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD61A second address: 9FD626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F286D1EB856h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD626 second address: 9FD62B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD62B second address: 9FD638 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F286D1EB856h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD638 second address: 9FD63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FD63E second address: 9FD650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F286D1EB85Eh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A86C09 second address: A86C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85A11 second address: A85A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85A17 second address: A85A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286CDEE632h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A41AB5 second address: A41AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A41AB9 second address: A41ABF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A41BC1 second address: A41BD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB85Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A41BD0 second address: A41BE0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85D25 second address: A85D29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85D29 second address: A85D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85D2F second address: A85D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jng 00007F286D1EB867h 0x0000000c jmp 00007F286D1EB861h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F286D1EB85Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85D60 second address: A85D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A86172 second address: A861A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F286D1EB860h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F286D1EB869h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A861A5 second address: A861A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A861A9 second address: A861AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A861AD second address: A861BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F286CDEE626h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A86469 second address: A8646F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8646F second address: A8647E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F286CDEE626h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A86603 second address: A8661A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB85Dh 0x00000007 je 00007F286D1EB85Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C4C5 second address: A8C4C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C4C9 second address: A8C4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F286D1EB856h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007F286D1EB85Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C4E8 second address: A8C4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F354 second address: A8F37C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F286D1EB869h 0x00000009 jmp 00007F286D1EB85Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F37C second address: A8F382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F500 second address: A8F50A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F286D1EB862h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F687 second address: A8F696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F286CDEE626h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F696 second address: A8F69A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F69A second address: A8F6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286CDEE630h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F6B0 second address: A8F6D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F286D1EB85Fh 0x00000009 jmp 00007F286D1EB864h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F6D7 second address: A8F6E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE62Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A971CD second address: A971ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB85Eh 0x00000009 jg 00007F286D1EB85Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95AF6 second address: A95B37 instructions: 0x00000000 rdtsc 0x00000002 je 00007F286CDEE626h 0x00000008 jmp 00007F286CDEE62Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jmp 00007F286CDEE634h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F286CDEE633h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95C66 second address: A95CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007F286D1EB858h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jno 00007F286D1EB85Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F286D1EB85Ch 0x0000001b jmp 00007F286D1EB867h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96302 second address: A9632C instructions: 0x00000000 rdtsc 0x00000002 je 00007F286CDEE628h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jns 00007F286CDEE628h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 jne 00007F286CDEE626h 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop edx 0x0000001e jbe 00007F286CDEE62Eh 0x00000024 push eax 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9632C second address: A96330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96330 second address: A96348 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F286CDEE62Dh 0x00000008 ja 00007F286CDEE626h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96490 second address: A9649A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F286D1EB856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9649A second address: A964BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE631h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jng 00007F286CDEE63Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBB93 second address: 9FBB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B136 second address: A9B13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B13A second address: A9B13E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B13E second address: A9B146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B146 second address: A9B14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B14E second address: A9B173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE638h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jc 00007F286CDEE626h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B173 second address: A9B197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 jg 00007F286D1EB870h 0x0000000e jmp 00007F286D1EB864h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A39A second address: A9A3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F286CDEE626h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A3A4 second address: A9A3BF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F286D1EB856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F286D1EB85Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A4FE second address: A9A515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F286CDEE62Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A515 second address: A9A51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A51B second address: A9A543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE637h 0x00000007 jnl 00007F286CDEE626h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A543 second address: A9A547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A547 second address: A9A565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F286CDEE634h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A565 second address: A9A574 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F286D1EB85Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A6B9 second address: A9A6C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007F286CDEE62Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A82F second address: A9A834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A834 second address: A9A851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286CDEE634h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A9B3 second address: A9A9D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F286D1EB85Eh 0x0000000a jnp 00007F286D1EB856h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A9D0 second address: A9A9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9A9D6 second address: A9A9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AB3F second address: A9AB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F286CDEE626h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9D9D3 second address: A9D9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9D9DC second address: A9D9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9D9E2 second address: A9D9FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB866h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DCF4 second address: A9DD03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F286CDEE626h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DD03 second address: A9DD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DD09 second address: A9DD0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA66B1 second address: AA66BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA485A second address: AA487D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE635h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F286CDEE62Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA4E64 second address: AA4E6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA4E6A second address: AA4E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA4E74 second address: AA4E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA5186 second address: AA51A9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F286CDEE626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F286CDEE639h 0x00000010 jmp 00007F286CDEE633h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA5B07 second address: AA5B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB868h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA5B23 second address: AA5B34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F286CDEE626h 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA611A second address: AA6120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6120 second address: AA6126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6126 second address: AA6137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6137 second address: AA613B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE9A7 second address: AAE9AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAEAFA second address: AAEB22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE631h 0x00000007 jmp 00007F286CDEE62Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7963 second address: AB798C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 jmp 00007F286D1EB868h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jns 00007F286D1EB856h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB798C second address: AB79A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F286CDEE637h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB79A9 second address: AB79AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF181 second address: 9FF198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F286CDEE626h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jbe 00007F286CDEE65Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF198 second address: 9FF19C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF19C second address: 9FF1B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE636h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FF1B6 second address: 9FF1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB5921 second address: AB593C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE62Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a je 00007F286CDEE62Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB593C second address: AB5945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB5945 second address: AB594B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB594B second address: AB5951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB5AE1 second address: AB5AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB6428 second address: AB6453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F286D1EB85Dh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F286D1EB861h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB6453 second address: AB6457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB6457 second address: AB645B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB65A1 second address: AB65C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F286CDEE62Dh 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F286CDEE630h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB673D second address: AB6772 instructions: 0x00000000 rdtsc 0x00000002 js 00007F286D1EB86Bh 0x00000008 jmp 00007F286D1EB865h 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F286D1EB856h 0x00000015 jmp 00007F286D1EB860h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB6772 second address: AB6784 instructions: 0x00000000 rdtsc 0x00000002 js 00007F286CDEE626h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB68D0 second address: AB68E3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F286D1EB85Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB68E3 second address: AB68EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB68EB second address: AB68F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABB9AD second address: ABB9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABB9B3 second address: ABB9BD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F286D1EB856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABDBC0 second address: ABDBC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABDBC4 second address: ABDBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0AB7D second address: A0AB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F286CDEE628h 0x0000000b jo 00007F286CDEE62Eh 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007F286CDEE626h 0x00000019 popad 0x0000001a push edi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0AB9D second address: A0ABA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0F09 second address: AC0F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F286CDEE633h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0F24 second address: AC0F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0F28 second address: AC0F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0AEE second address: AC0B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F286D1EB868h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0B11 second address: AC0B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0B15 second address: AC0B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACE8EB second address: ACE913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F286CDEE626h 0x0000000a jmp 00007F286CDEE633h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jnc 00007F286CDEE626h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACE913 second address: ACE918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACE4A8 second address: ACE4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F286CDEE632h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jnl 00007F286CDEE626h 0x00000013 popad 0x00000014 popad 0x00000015 push edx 0x00000016 push esi 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jns 00007F286CDEE626h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACE4D9 second address: ACE4DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2434 second address: AD2438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2438 second address: AD2444 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2444 second address: AD2448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8B22 second address: AD8B2C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F286D1EB856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE1803 second address: AE1807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE1807 second address: AE1825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F286D1EB864h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE1825 second address: AE183D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE630h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE183D second address: AE1841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA62C second address: AEA639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F286CDEE62Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE90AD second address: AE90C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F286D1EB862h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9394 second address: AE93A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F286CDEE62Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE94D5 second address: AE94E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F286D1EB856h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE94E9 second address: AE94ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE94ED second address: AE950C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB865h 0x00000007 jl 00007F286D1EB856h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9797 second address: AE979D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE979D second address: AE97B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jo 00007F286D1EB856h 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F286D1EB856h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE97B9 second address: AE97C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F286CDEE626h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE97C5 second address: AE97CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA34B second address: AEA34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB4FA second address: AFB500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB500 second address: AFB50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F286CDEE626h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB50B second address: AFB521 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F286D1EB85Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0D0A1 second address: B0D0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B25012 second address: B25021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F286D1EB85Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B25021 second address: B2506E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE62Eh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F286CDEE62Eh 0x00000011 jbe 00007F286CDEE636h 0x00000017 jmp 00007F286CDEE630h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F286CDEE633h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2506E second address: B25072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B252CB second address: B252CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B256D4 second address: B256D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B28BA1 second address: B28BA6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B28BA6 second address: B28BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jl 00007F286D1EB85Eh 0x0000000e pushad 0x0000000f mov esi, dword ptr [ebp+12451F2Bh] 0x00000015 popad 0x00000016 push 00000004h 0x00000018 push ecx 0x00000019 mov dword ptr [ebp+122D197Ah], ebx 0x0000001f pop edx 0x00000020 mov edx, ebx 0x00000022 call 00007F286D1EB859h 0x00000027 jmp 00007F286D1EB868h 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 pop edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B28BF0 second address: B28C38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE630h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F286CDEE635h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F286CDEE637h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B28C38 second address: B28C5D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F286D1EB85Ch 0x00000008 jbe 00007F286D1EB856h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 jmp 00007F286D1EB85Dh 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B28EBB second address: B28EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BDF2 second address: B2BDF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BDF6 second address: B2BE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BE01 second address: B2BE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BE07 second address: B2BE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F286CDEE626h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10D7A second address: 4C10D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F286D1EB864h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10D92 second address: 4C10DAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F286CDEE62Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10DAC second address: 4C10E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286D1EB85Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b pushad 0x0000000c call 00007F286D1EB864h 0x00000011 call 00007F286D1EB862h 0x00000016 pop ecx 0x00000017 pop edx 0x00000018 mov bh, ch 0x0000001a popad 0x0000001b jns 00007F286D1EB893h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F286D1EB866h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10E07 second address: 4C10EAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add eax, ecx 0x0000000c jmp 00007F286CDEE639h 0x00000011 mov eax, dword ptr [eax+00000860h] 0x00000017 pushad 0x00000018 pushad 0x00000019 jmp 00007F286CDEE62Ah 0x0000001e call 00007F286CDEE632h 0x00000023 pop eax 0x00000024 popad 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F286CDEE631h 0x0000002c sub ecx, 05E8DF86h 0x00000032 jmp 00007F286CDEE631h 0x00000037 popfd 0x00000038 mov si, B937h 0x0000003c popad 0x0000003d popad 0x0000003e test eax, eax 0x00000040 jmp 00007F286CDEE62Ah 0x00000045 je 00007F28DEB144F6h 0x0000004b jmp 00007F286CDEE630h 0x00000050 test byte ptr [eax+04h], 00000005h 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10EAF second address: 4C10EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C10EB3 second address: 4C10ED0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F286CDEE639h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4706A second address: A47071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47071 second address: A47077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47077 second address: A4707B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4707B second address: A4707F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 893B84 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 893C3C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A35B4C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A416BE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AC6C8D instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 1364

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2158729439.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158681082.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnr
Source: file.exe, 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00875BB0 LdrInitializeThunk,

0_2_00875BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	5 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
sergei-esenin.com	172.67.206.204	true	true	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
licendfilteo.site	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000003.2158729439.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	file.exe, 00000000.00000003.2167205745.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eaglepawnoy.store/	file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steam.tv/	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/u	file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://clearancek.site/	file.exe, 00000000.00000002.2180089779.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/U	file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://dissapoiznw.store/	file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000003.2158729439.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180357030.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180357030.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900Q	file.exe, 00000000.00000003.2158442402.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167205745.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158681082.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180089779.0000000000DC3000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.2158442402.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.2158622921.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2180357030.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158442402.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	file.exe, 00000000.00000003.2158403203.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158403203.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167183387.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
172.67.206.204	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526761
Start date and time:	2024-10-06 15:42:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:42:55	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
172.67.206.204	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
172.67.206.204	http://app.easygoogleanalytics4.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.53.8
sergei-esenin.com	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.206.204
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://steamcomminutty.com/tradeoffer/new/?partner=917461351&token=ynekauF-3y	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://sneamcomnnumnlty.com/jfh8893040282949023/here/put	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunrutty.com/gift/actlvation=Mor85Fhn6w4	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	http://sneamcomnnumnlty.com/fact/actual/get	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://pp578bb256.top/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://meta.manager-activity-central.com/	Get hash	malicious	Unknown	Browse	104.26.8.218
	https://cp-wc32.syd02.ds.network/~melbou28/cgi.bin/fr/500b0/	Get hash	malicious	Unknown	Browse	104.17.249.203
	http://x3viswxo.clinicaimplantologica3d.com/	Get hash	malicious	Unknown	Browse	104.26.8.169
	https://qqq.ujadw.dns-dynamic.net/	Get hash	malicious	Unknown	Browse	172.66.44.162
	https://allegrolokalnie.pl-546t348977t.shop/oferta/afbc38c3-8517-464b-b221-f0b162797375	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://sneamcomnnumnlty.com/hf848934234829924/get/put	Get hash	malicious	HTMLPhisher	Browse	104.21.91.169
	https://garretitlaw.wixstudio.io/website	Get hash	malicious	Unknown	Browse	172.66.0.227
	http://meta.case-page-appeal.eu/community-standard/112225492204863/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://pub-1af65f96e8534cf4a29c29ca6913df14.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://steamcomminutty.com/tradeoffer/new/?partner=917461351&token=ynekauF-3y	Get hash	malicious	Unknown	Browse	88.221.169.65
	https://sneamcomnnumnlty.com/jfh8893040282949023/here/put	Get hash	malicious	Unknown	Browse	88.221.169.65
	https://steamcommunrutty.com/gift/actlvation=Mor85Fhn6w4	Get hash	malicious	Unknown	Browse	104.102.49.254
	http://www.ledger-secure03948.sssgva.com/	Get hash	malicious	Unknown	Browse	88.221.168.23
	http://monespacebnpp.com/	Get hash	malicious	Unknown	Browse	104.102.46.63
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9485063396616376
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'859'072 bytes
MD5:	42a232e57060ade55ead882db1c16979
SHA1:	6d5867e90a1f2786c8948ed5a8e4cc0eb00ff44c
SHA256:	b0c92d0e3de2c7c17cdcd1baf9fb4c976ea11518d7baf191c6fc0677e4e5dd3a
SHA512:	f6cb9bf103be7536c008d2978afb98955d603620e3522576db19917b765febf8d6cce5bb001b7d005c04aa6bc0b687cc90036831b93cd4655c1ee756620ef0b8
SSDEEP:	49152:Edex3Djj8TqV9LI5g2ovwsgoZLj3TCsJ7fpkXxwWWX:EdmHj8YLccvwGZ33TCslhmxdWX
TLSH:	B985333EDE04932AF82F653516EB4B4505B250E1AA96F6AB3E0E35D7F42B3C744244CB
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f.............................PJ...........@...........................J...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a5000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F286C4C967Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	78c93085613c63519a3d3d33f61e4d65	False	0.9994263098184818	DOS executable (COM)	7.975621089562242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2a7000	0x200	10e8cf73459ba458a98c0c8ba8914c5e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rncouxpj	0x307000	0x19d000	0x19c400	be7acce5616e2d06214ce8ae54168f3d	False	0.9934927418132201	data	7.95477000812694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
znrgkcxy	0x4a4000	0x1000	0x600	a0acf03d401011dd89d6d968bbc69346	False	0.6263020833333334	data	5.366713715755408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a5000	0x3000	0x2200	bd79f3386510244486f69100cf6f5158	False	0.06479779411764706	DOS executable (COM)	0.8076089725679726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T15:42:56.526607+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.6	57211	1.1.1.1	53	UDP
2024-10-06T15:42:56.539630+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.6	59611	1.1.1.1	53	UDP
2024-10-06T15:42:56.555361+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.6	59831	1.1.1.1	53	UDP
2024-10-06T15:42:56.571459+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.6	58508	1.1.1.1	53	UDP
2024-10-06T15:42:56.586685+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.6	61398	1.1.1.1	53	UDP
2024-10-06T15:42:56.601235+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.6	64690	1.1.1.1	53	UDP
2024-10-06T15:42:56.612686+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.6	57500	1.1.1.1	53	UDP
2024-10-06T15:42:56.624919+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.6	60521	1.1.1.1	53	UDP
2024-10-06T15:42:59.016935+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49712	172.67.206.204	443	TCP
2024-10-06T15:42:59.016935+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49712	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 15:42:56.649518013 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:56.649561882 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:56.649640083 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:56.652431011 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:56.652443886 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:57.294351101 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:57.294600010 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:57.339827061 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:57.339878082 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:57.340184927 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:57.395114899 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:57.611404896 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:57.659398079 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.025516987 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.025546074 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.025554895 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.025572062 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.025579929 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.025648117 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.025648117 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.025665998 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.025712967 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.130158901 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.130187988 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.130286932 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.130286932 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.130306959 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.130359888 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.135570049 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.135643005 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.135648966 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.135687113 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.135725021 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.135725021 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.137979984 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.137993097 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.138145924 CEST	49710	443	192.168.2.6	104.102.49.254
Oct 6, 2024 15:42:58.138150930 CEST	443	49710	104.102.49.254	192.168.2.6
Oct 6, 2024 15:42:58.201786041 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:58.201843977 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:58.201911926 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:58.202738047 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:58.202764034 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:58.682899952 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:58.682986021 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:58.684616089 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:58.684621096 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:58.684941053 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:58.686384916 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:58.686427116 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:58.686475039 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:59.016915083 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:59.016990900 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:59.017061949 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:59.017323017 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:59.017364025 CEST	443	49712	172.67.206.204	192.168.2.6
Oct 6, 2024 15:42:59.017386913 CEST	49712	443	192.168.2.6	172.67.206.204
Oct 6, 2024 15:42:59.017400026 CEST	443	49712	172.67.206.204	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 15:42:56.526607037 CEST	57211	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.536588907 CEST	53	57211	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.539629936 CEST	59611	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.550189018 CEST	53	59611	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.555361032 CEST	59831	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.565771103 CEST	53	59831	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.571459055 CEST	58508	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.581388950 CEST	53	58508	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.586684942 CEST	61398	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.596194029 CEST	53	61398	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.601234913 CEST	64690	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.609909058 CEST	53	64690	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.612685919 CEST	57500	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.622383118 CEST	53	57500	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.624918938 CEST	60521	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.635133982 CEST	53	60521	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:56.637480021 CEST	53081	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:56.644542933 CEST	53	53081	1.1.1.1	192.168.2.6
Oct 6, 2024 15:42:58.178430080 CEST	62705	53	192.168.2.6	1.1.1.1
Oct 6, 2024 15:42:58.188540936 CEST	53	62705	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 15:42:56.526607037 CEST	192.168.2.6	1.1.1.1	0x219f	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.539629936 CEST	192.168.2.6	1.1.1.1	0x5717	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.555361032 CEST	192.168.2.6	1.1.1.1	0xf010	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.571459055 CEST	192.168.2.6	1.1.1.1	0x465b	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.586684942 CEST	192.168.2.6	1.1.1.1	0xd05	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.601234913 CEST	192.168.2.6	1.1.1.1	0x2042	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.612685919 CEST	192.168.2.6	1.1.1.1	0xeea2	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.624918938 CEST	192.168.2.6	1.1.1.1	0x1ad	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.637480021 CEST	192.168.2.6	1.1.1.1	0xe996	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:58.178430080 CEST	192.168.2.6	1.1.1.1	0xbd71	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 15:42:56.536588907 CEST	1.1.1.1	192.168.2.6	0x219f	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.550189018 CEST	1.1.1.1	192.168.2.6	0x5717	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.565771103 CEST	1.1.1.1	192.168.2.6	0xf010	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.581388950 CEST	1.1.1.1	192.168.2.6	0x465b	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.596194029 CEST	1.1.1.1	192.168.2.6	0xd05	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.609909058 CEST	1.1.1.1	192.168.2.6	0x2042	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.622383118 CEST	1.1.1.1	192.168.2.6	0xeea2	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.635133982 CEST	1.1.1.1	192.168.2.6	0x1ad	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:56.644542933 CEST	1.1.1.1	192.168.2.6	0xe996	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:58.188540936 CEST	1.1.1.1	192.168.2.6	0xbd71	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 6, 2024 15:42:58.188540936 CEST	1.1.1.1	192.168.2.6	0xbd71	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.102.49.254	443	4784	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 13:42:57 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-06 13:42:58 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 06 Oct 2024 13:42:57 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=637a60dbd0a430637a7ac2fe; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-06 13:42:58 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-06 13:42:58 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-06 13:42:58 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-06 13:42:58 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	172.67.206.204	443	4784	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 13:42:58 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-06 13:42:58 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-06 13:42:59 UTC	803	IN	HTTP/1.1 200 OK Date: Sun, 06 Oct 2024 13:42:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1ib87fr5qe9hk4qlqn5k45o68b; expires=Thu, 30 Jan 2025 07:29:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rJ%2FD7l5hPIig0sOkKkNGcy689QkVU6vgQyL957eRzbUDgkgE%2FxHTRurjn72TbEV89Uf5VMmKukcB3tJ3B29H8UP2NaQlvUREuZr%2B5xoSJ%2Blg6e4fB7CinLx%2FKX%2FhSlTkO63KUA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ce613e93ca34379-EWR
2024-10-06 13:42:59 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-06 13:42:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:42:54
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x830000
File size:	1'859'072 bytes
MD5 hash:	42A232E57060ADE55EAD882DB1C16979
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	65.5%
Total number of Nodes:	55
Total number of Limit Nodes:	5

Executed Functions

Function 008750FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00875182

Strings

<I$), xrefs: 008752E3
@^, xrefs: 00875120
<I$), xrefs: 00875198

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: dfd973967d312f23c781ef054860451e0da1d2e64676c959add8ef39c738fc3b
Instruction ID: 9f6308d0a795791bd628153be976273db3ba7362db96e9a0f98b0233ced2a665
Opcode Fuzzy Hash: dfd973967d312f23c781ef054860451e0da1d2e64676c959add8ef39c738fc3b
Instruction Fuzzy Hash: CF216D351083848FD300DF68E89176AF7E4FB6A304FA9882CE1C5D7352E676DA158B56

Function 0083FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 0083FEDC
J|BJ, xrefs: 0084000D
t, xrefs: 0083FCBE
VY^_, xrefs: 0083FDFF

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 3ccdbb779c8ad83fe791434ebe23e6dd027be079c75c194ddd368320c1a1fd75
Instruction ID: f705d6403a9e55e0b4f727b19e84450b3c79e9d8730283ab8880a56d95c1336e
Opcode Fuzzy Hash: 3ccdbb779c8ad83fe791434ebe23e6dd027be079c75c194ddd368320c1a1fd75
Instruction Fuzzy Hash: 54D1557550C3989BD311DF18949061FBBE1FB96B48F14882CFAC98B252D735C909DF92

Function 0083D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0083D2F1

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 61537b3e8d7efeb6640a3ed8f5cb2e274b346df7a3fa1e95c2efbea1d3edcfe4
Instruction ID: c83365e47da6b1b899ab0e00a962df324aee536768fb552c5ca3c38ffbc2fcf5
Opcode Fuzzy Hash: 61537b3e8d7efeb6640a3ed8f5cb2e274b346df7a3fa1e95c2efbea1d3edcfe4
Instruction Fuzzy Hash: DE411270409340ABD601BB68E584A2EFBE5EF92705F148C1CE5C4DB252C235E8249BA7

Function 00875700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00875784

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 370cec46267f345fe083640f688c1525a0c092eafe0d1df7da2b66c84a9f4fa2
Instruction ID: 8a098f6fd1dbf60e92266a83ff23e8ab4a84c7eb97c3e3ebc322a3fbecbae597
Opcode Fuzzy Hash: 370cec46267f345fe083640f688c1525a0c092eafe0d1df7da2b66c84a9f4fa2
Instruction Fuzzy Hash: 4A118C71918240EBC305AF2CE841A1BBBE5EF96B15F058828E488DB215D335D810DBA3

Function 00875BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0087973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00875BDE

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0087695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 008769C5

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7a8c41e28e4a5e97dc3fde0fe4cc25cf3bc5767d47449d95473b3b4b5984d19f
Instruction ID: 967ec4c974bb4e0128350109c83ab6438f7d4a9fea4fdfe1c567d897b9c073f8
Opcode Fuzzy Hash: 7a8c41e28e4a5e97dc3fde0fe4cc25cf3bc5767d47449d95473b3b4b5984d19f
Instruction Fuzzy Hash: CC3176B15083028BD718EF18D890A2ABBE1FF85344F48982CE5CAD72A5E334D9148B56

Function 0084049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd273d8ab7baf1e3b4bf2a6b236daa95658fa3b771f48392d1b3825164f821f2
Instruction ID: d1f3f724b3c864b7d0f3013b36c03a3af1728c92fbe730138b942607cfe670b2
Opcode Fuzzy Hash: dd273d8ab7baf1e3b4bf2a6b236daa95658fa3b771f48392d1b3825164f821f2
Instruction Fuzzy Hash: 35918975200B01CFD724CF25E894A17B7F6FF89314B118A6CE95A8BBA2D771E815CB90

Function 00840228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70640d92dc7a780762057558f4fb981e0e561ab9f27a1cfa71894e50c1730b23
Instruction ID: b30d6ab731de270ebaf64419d8d6d343fb93c6b69b084c4916bcfa18142bf242
Opcode Fuzzy Hash: 70640d92dc7a780762057558f4fb981e0e561ab9f27a1cfa71894e50c1730b23
Instruction Fuzzy Hash: 93718835204B01CFD7248F25E898A17B7F6FF89314F10896CEA4A8BAA2D731E855CF50

Function 008799D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a72d05ab7d16591e8ae584fdf47032f04320805a8b54e435b9be79f132d7ae
Instruction ID: b11f93ddcb001fa6897fab4dc931676ab7b608ec7f1209ddf8cb1b653da1d669
Opcode Fuzzy Hash: 99a72d05ab7d16591e8ae584fdf47032f04320805a8b54e435b9be79f132d7ae
Instruction Fuzzy Hash: 9A414834209310ABD714AA19E891B2AFBF6FB85724F64C82CE5CED7255D335E811CB62

Function 008763B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b27f9fc8c79ca63a6d91c4feed0d27fb301d511572fe1671fc155ed59afa258
Instruction ID: d69c45d4b926705aaa0a78364673c32cc71ec07b1ccfefb8aa188c0af03f9ea6
Opcode Fuzzy Hash: 6b27f9fc8c79ca63a6d91c4feed0d27fb301d511572fe1671fc155ed59afa258
Instruction Fuzzy Hash: 5B31E470649701BBD624DB08CD82F3AB7A5FB81B15F64C50CF189AB2E5E370E821CB56

Function 00840EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d84cd6d3f93aef2a49cbb8f6fba0d39c77ffaec24eafe0ebd19d9a0f4a561f
Instruction ID: 1d296ae8feeeb8ddc3b125cd85ab6ed637bc9b5a6303ced33b546c4a7356be9d
Opcode Fuzzy Hash: c0d84cd6d3f93aef2a49cbb8f6fba0d39c77ffaec24eafe0ebd19d9a0f4a561f
Instruction Fuzzy Hash: A2212AB490022A9FDB15CF94CC90BBEBBB1FB46304F144819E911BB292C735A945CF64

Function 00873220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 008732A6

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 91ebc6b4f1ad597eeffa1625cf8f813ef7cf394d3f58bfd4fecd1b5c7f177280
Instruction ID: ebb030b65d6aaf766c882ef0986d6d8521796e9af934d582cb072ea9e957841d
Opcode Fuzzy Hash: 91ebc6b4f1ad597eeffa1625cf8f813ef7cf394d3f58bfd4fecd1b5c7f177280
Instruction Fuzzy Hash: 1801463450D3409BC701AB18E885A1ABBE8FF5AB01F05882CE5C98B362D235DD60DBA3

Function 00873202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00873208

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24fd016ef6f7cbf59f313e4d318db0fec858cc6ec73dfb43e8a8ef23f7bfae09
Instruction ID: 0f70730de1aacf35bff045c21a36798610da589dfc6dbc827a7c5ed958427503
Opcode Fuzzy Hash: 24fd016ef6f7cbf59f313e4d318db0fec858cc6ec73dfb43e8a8ef23f7bfae09
Instruction Fuzzy Hash: 24B012300401005FEA082B04EC0AF003610FB00605FC00050A100040F1D1615864C654

Non-executed Functions

Function 008623E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

{l`~, xrefs: 0086268C
f@~!, xrefs: 008625FF
#v, xrefs: 0086344B, 00864861
:, xrefs: 008632DD
fedc, xrefs: 00862782
|}&C, xrefs: 00862F21
3<, xrefs: 008632D6
mlc@, xrefs: 0086275C
`tii, xrefs: 00862693
ggxz, xrefs: 00862685
%*+(, xrefs: 008640EF
aenQ, xrefs: 0086276A
Cx, xrefs: 0086453D

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$#v
API String ID: 0-2260822535
Opcode ID: e1f48ecbfc74b4e17e7f1df426b314493c7ddec81e2dcdff573b4f7ca50f4951
Instruction ID: 76b1f19f4eab2ee14f7f74d16dbf804d4070afab9e7d2b5f18606bd9782ea15d
Opcode Fuzzy Hash: e1f48ecbfc74b4e17e7f1df426b314493c7ddec81e2dcdff573b4f7ca50f4951
Instruction Fuzzy Hash: 8333BC70504B818FD7258F38C590B66BBE1FF16304F58899DE4DA8BB92C735E906CBA1

Function 0084DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

|, xrefs: 0084ECB1
tsrq, xrefs: 0084E6FC
lkji, xrefs: 0084E73E
%*+(, xrefs: 0084DE37, 0084DE46
`Y^_, xrefs: 0084E99E
QNOL, xrefs: 0084E775
dcba, xrefs: 0084E728
T, xrefs: 0084F157
AR, xrefs: 0084DD10
<=2, xrefs: 0084EA01
DCBA, xrefs: 0084E887, 0084E896
()./, xrefs: 0084E9CA
mjkh, xrefs: 0084E7D8
D, xrefs: 0084E846
`onm, xrefs: 0084E733
:WUE, xrefs: 0084F6B7, 0084F6C6
@ONM, xrefs: 0084E6DB
89&', xrefs: 0084E93B
tuJK, xrefs: 0084E967
<=:;, xrefs: 0084E930
WP, xrefs: 0084DCEF
xgfe, xrefs: 0084E71D
LKJI, xrefs: 0084E6E6
89>?, xrefs: 0084E9F6

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 01cae325cd5ece93f19e55a6331f2d589c8cc747378f76c8fad750cf9b5f626c
Instruction ID: c09c7fa7d466915ebec1797b9a89e60fa5325995725780a3d8927ab9d737c186
Opcode Fuzzy Hash: 01cae325cd5ece93f19e55a6331f2d589c8cc747378f76c8fad750cf9b5f626c
Instruction Fuzzy Hash: 16F255B05093859BD770CF18C884BABBBE2FBD5304F14882CE5C9DB252DB759984CB92

Function 00859F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

Gt, xrefs: 00859FF8
JG, xrefs: 0085AA27
_Y, xrefs: 0085A641
=], xrefs: 0085A36A
kW, xrefs: 0085A380
]{, xrefs: 0085A1E7, 0085A1F3
%e6g, xrefs: 0085A152
WQ, xrefs: 0085A62B
?m,o, xrefs: 0085A13C
(a*c, xrefs: 0085A147
CG, xrefs: 0085AA32
S], xrefs: 0085A636
N[, xrefs: 0085A375
sm, xrefs: 0085A830
/), xrefs: 0085A66D
hi, xrefs: 0085AB9D
WH, xrefs: 0085AA1C

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: f2a4deb067f952493463c1b6bd9ba19cbd08edc69478bf54a9cc5b566144942c
Instruction ID: fa6bcd284da9fe9dbb4260ffaa3ad2784f0f72e2b00b056fe7e732f5a50bbee3
Opcode Fuzzy Hash: f2a4deb067f952493463c1b6bd9ba19cbd08edc69478bf54a9cc5b566144942c
Instruction Fuzzy Hash: 2352B6B404D385CAE274CF25D581B8EBAF1BB92740F608A1DE5ED9B255DB708049CF93

Function 00859510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

G+X5, xrefs: 00859AF3
B7U1, xrefs: 00859AFB
z=Q?, xrefs: 00859826
O+f), xrefs: 00859634, 0085963D
L3Y=, xrefs: 00859B03
,A&C, xrefs: 0085982E
G'M!, xrefs: 00859ADB
pq, xrefs: 008599E0
T#a-, xrefs: 00859AE3
?M0K, xrefs: 00859968
X/R), xrefs: 00859AEB
!E4G, xrefs: 00859836
2A"_, xrefs: 00859980
8;, xrefs: 00859B13
B?Q9, xrefs: 00859B0B
;IJK, xrefs: 0085983E

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: bf6d848c5e7cd05f2f061e58c871f11bb9891e64ff623c55492f8b5f55e4d427
Instruction ID: ea111c9b26972f7818a8199c1224605041dd2623360e8d4b9e10a5d3fe606bd4
Opcode Fuzzy Hash: bf6d848c5e7cd05f2f061e58c871f11bb9891e64ff623c55492f8b5f55e4d427
Instruction Fuzzy Hash: 46F13EB4508384ABD310DF19D881A2BBBF4FB96B49F444D1CF9D99B252E334D908CB96

Function 0085DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

Y9N;, xrefs: 0085E245
n\+H, xrefs: 0085DDC0
hX]N, xrefs: 0085DDC7
)IgK, xrefs: 0085E261
%*+(, xrefs: 0085E143
-M2O, xrefs: 0085E25A
{E, xrefs: 0085E323
,Q?S, xrefs: 0085E26F
=]+_, xrefs: 0085E276
upH}, xrefs: 0085DE8A, 0085E798, 0085DF4A
<Y.[, xrefs: 0085E27D

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: 545de320eef6f584e9b861f24fddbdad29e855a22e220b506cfea9ec7cd0b62b
Instruction ID: 9818797abfe64eb2476d2490045fd5148f3c6e8cea0d9223753aa21a25b9912f
Opcode Fuzzy Hash: 545de320eef6f584e9b861f24fddbdad29e855a22e220b506cfea9ec7cd0b62b
Instruction Fuzzy Hash: 99920471E00215CFDB18CF68D8416AEBBB2FF49311F298168E856EB391D735AD06CB91

Function 009FA509 Relevance: 12.9, Strings: 9, Instructions: 1623COMMON

Download Yara Rule

Strings

rp_g, xrefs: 009FA722
8M}, xrefs: 009FAA40
11O, xrefs: 009FB53B
n[, xrefs: 009FB8FF
o[S, xrefs: 009FAC1C
g'^O, xrefs: 009FA64D
(J#, xrefs: 009FA9B2
}u}M, xrefs: 009FB5E6
[>n~, xrefs: 009FAA2A

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: (J#$11O$8M}$[>n~$g'^O$n[$rp_g$}u}M$o[S
API String ID: 0-4211955895
Opcode ID: 22674aff07a2542b969a64cdb8e493cff650a32e90ebd2b80bd12d8b17ee7a56
Instruction ID: 332aae01e8df91b5fc23aaa8aa02b577cb8c15df339f4698fa9fe9407bfaa758
Opcode Fuzzy Hash: 22674aff07a2542b969a64cdb8e493cff650a32e90ebd2b80bd12d8b17ee7a56
Instruction Fuzzy Hash: ABB215F3A0C2049FE304AE2DEC8567ABBE5EF94720F16493DEAC5C3744EA3558058697

Function 00A095D1 Relevance: 11.6, Strings: 8, Instructions: 1623COMMON

Download Yara Rule

Strings

',k], xrefs: 00A0A815
Gk:, xrefs: 00A0A7B4
/7w, xrefs: 00A09D02
rCW?, xrefs: 00A09A86
V<?O, xrefs: 00A0974F
mv`, xrefs: 00A0A53F
|Uu, xrefs: 00A09D17
)vk, xrefs: 00A09B46

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: ',k]$/7w$Gk:$V<?O$mv`$rCW?$)vk$|Uu
API String ID: 0-1238262635
Opcode ID: c95edf14ce3af54e12242ff071cebfd912aa87fc2e7fe4dbd9dd3da7a12ba5f1
Instruction ID: a0dfcf7b509fcdd62bf899348bd53e32cf8856675d723dd44288e1f18e5f69d5
Opcode Fuzzy Hash: c95edf14ce3af54e12242ff071cebfd912aa87fc2e7fe4dbd9dd3da7a12ba5f1
Instruction Fuzzy Hash: 14B2E5F360C6149FE304AE2DEC8566AFBE9EF94720F16493DEAC4D3740E63598048697

Function 0085098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

qrqp, xrefs: 00851089
9.5^, xrefs: 00850F9F
{, xrefs: 00851502
&> &, xrefs: 00850F89
gce/, xrefs: 00851073
,#15, xrefs: 00850F94
%*+(, xrefs: 00850A77, 00850A86
cah`, xrefs: 0085107E

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 879bbad6963709ca52759f155daa91feabf9c8b308dd55ca2a9764156c5b5a69
Instruction ID: ed2dd6cfb66a95415cea2fb4065bc65f69468c1edc03a4d4d6b5bdb824263fca
Opcode Fuzzy Hash: 879bbad6963709ca52759f155daa91feabf9c8b308dd55ca2a9764156c5b5a69
Instruction Fuzzy Hash: 7F62BBB56083818BD730CF18D895BABB7E1FF96315F04492DE89A8B641E3759848CF53

Function 00831000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00832297
0123456789abcdefxp, xrefs: 00831587, 008315F8
0123456789ABCDEFXP, xrefs: 0083157D, 008315EB
gfff, xrefs: 00832226
@, xrefs: 00832C40
-, xrefs: 008321ED
gfff, xrefs: 008322E1

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: db49b2c84fbe1b0bd4f33d068f4904c195edc1a8bb7c70fca2bfa77a6c938e5f
Instruction ID: b3f9a39141950c281ed10ca0246c171200b96f76ef5d816ebe9155b3b55b5ddf
Opcode Fuzzy Hash: db49b2c84fbe1b0bd4f33d068f4904c195edc1a8bb7c70fca2bfa77a6c938e5f
Instruction Fuzzy Hash: A0D2CE716087518FDB18CE28C89436ABBE2FBD9314F188A2DE499CB391D774D945CBC2

Function 009F88C6 Relevance: 10.4, Strings: 7, Instructions: 1679COMMON

Download Yara Rule

Strings

ZZ~, xrefs: 009F9218
/l'7, xrefs: 009F95AD
+;o, xrefs: 009F91CF
A3N;, xrefs: 009F9BD0
u wm, xrefs: 009F8D5C
r., xrefs: 009F89CC
hsP*, xrefs: 009F97FE

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: +;o$/l'7$A3N;$ZZ~$hsP*$r.$u wm
API String ID: 0-1581080990
Opcode ID: 505d633d765063985869aa9f89b5b2ad9d827793322010daf5bd8236e08924fd
Instruction ID: 3ace07b4a09122cdae879923c7bee8fd14f4ca8eee481a6dbf5d60bd8b93bbb2
Opcode Fuzzy Hash: 505d633d765063985869aa9f89b5b2ad9d827793322010daf5bd8236e08924fd
Instruction Fuzzy Hash: 8AB217F3A0C2049FE304AE2DEC8567ABBE9EFD4720F1A853DE6C4C7744E53558058696

Function 00A010C1 Relevance: 10.4, Strings: 7, Instructions: 1623COMMON

Download Yara Rule

Strings

r/, xrefs: 00A020DA
z%>o, xrefs: 00A01AAF
ftZ, xrefs: 00A01667
8B~], xrefs: 00A01D68
'n}?, xrefs: 00A01C36
?6${, xrefs: 00A014B5
4YK}, xrefs: 00A01B92

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: 'n}?$4YK}$8B~]$?6${$ftZ$r/$z%>o
API String ID: 0-2582792102
Opcode ID: 7744074644bb07a31c522f3ae1640b7c819999e54313405daf2bbc4ab4beb182
Instruction ID: 900c3629396bb24ac507c0337c6c9bdab1987d81c373cdc53c5dc2fddba2d161
Opcode Fuzzy Hash: 7744074644bb07a31c522f3ae1640b7c819999e54313405daf2bbc4ab4beb182
Instruction Fuzzy Hash: BCB217F3A0C2149FE3046E2DEC8577ABBE9EF94320F1A453DEAC4C7744EA3558058696

Function 009F6D57 Relevance: 9.2, Strings: 6, Instructions: 1704COMMON

Download Yara Rule

Strings

lk, xrefs: 009F6E02
gz{, xrefs: 009F7D75
RqW, xrefs: 009F77C0
WW>, xrefs: 009F702D
RqW, xrefs: 009F77DE
oq?, xrefs: 009F73C0

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: RqW$RqW$WW>$gz{$lk$oq?
API String ID: 0-477562608
Opcode ID: e0fddb68debe27c971ff1c294d3ff480a40a71ae2f7180805c7966c6452bb009
Instruction ID: 0c15b758f8c1df85570d67740aa084f15b28031ebbadb67aba2544d9990e9303
Opcode Fuzzy Hash: e0fddb68debe27c971ff1c294d3ff480a40a71ae2f7180805c7966c6452bb009
Instruction Fuzzy Hash: C0B238F360C2049FE304AE2DEC8567AF7E9EF94360F1A893DE6C5C3744E63598418696

Function 00A045D6 Relevance: 9.1, Strings: 6, Instructions: 1594COMMON

Download Yara Rule

Strings

+$v, xrefs: 00A055C5
2o~, xrefs: 00A05193
w?, xrefs: 00A05917
Sjm, xrefs: 00A05018
Pb]^, xrefs: 00A054EB
8Az, xrefs: 00A04C02

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: +$v$2o~$8Az$Pb]^$Sjm$w?
API String ID: 0-3646128247
Opcode ID: a8a380f00ecdcd52adea3347c634700da3c496f81e6ec3794b2c13689f4f62ce
Instruction ID: e4c28f09ceab4260ebba1361e815bc5871fbb915b947293bc1e1f5eafa7da87c
Opcode Fuzzy Hash: a8a380f00ecdcd52adea3347c634700da3c496f81e6ec3794b2c13689f4f62ce
Instruction Fuzzy Hash: 9EB2F5F36082049FE304AE2DDC8567AFBE9EF94720F16893DEAC4C7744E63598058796

Function 009FC01C Relevance: 9.1, Strings: 6, Instructions: 1569COMMON

Download Yara Rule

Strings

CO/, xrefs: 009FCC26
5$wZ, xrefs: 009FC815
S/, xrefs: 009FC9EC
/J|, xrefs: 009FC0AF
{R}o, xrefs: 009FCC1A
E 67, xrefs: 009FCFA0

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: 5$wZ$E 67${R}o$/J|$CO/$S/
API String ID: 0-2138985306
Opcode ID: 1b5b3ba2c6ddf03175f7e157f10d05894fb828a5f52c2de652edb266e48c3f87
Instruction ID: 2f1dbf87949abe897a0e5a0bb6147537ee76787bd700f70bb1ade9fd238f1fef
Opcode Fuzzy Hash: 1b5b3ba2c6ddf03175f7e157f10d05894fb828a5f52c2de652edb266e48c3f87
Instruction Fuzzy Hash: D3B203F3A0C204AFE7046F29EC8567ABBE9EF94320F16493DE6C5C7744EA3558048796

Function 009FDAD2 Relevance: 7.9, Strings: 5, Instructions: 1644COMMON

Download Yara Rule

Strings

%"o, xrefs: 009FDBF8
@j}w, xrefs: 009FE770
ox'~, xrefs: 009FEA26
Nd_, xrefs: 009FE902
t 7, xrefs: 009FDBC6

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %"o$@j}w$Nd_$ox'~$t 7
API String ID: 0-1982951269
Opcode ID: cf1f9943fc5b72438424e697dcdab96d2afa95eefd4c30fb6adbab5e0c9c085b
Instruction ID: f6d5a2590de627ca84a561c4ffaef2a710ab8c34b1d57ad13c13bee08d6ace77
Opcode Fuzzy Hash: cf1f9943fc5b72438424e697dcdab96d2afa95eefd4c30fb6adbab5e0c9c085b
Instruction Fuzzy Hash: 77B219F3A0C2049FE304AE2DEC8567AB7E9EFD4720F1A853DEAC4C7744E93558058696

Function 00A02B8F Relevance: 7.8, Strings: 5, Instructions: 1580COMMON

Download Yara Rule

Strings

$8, xrefs: 00A03DE1
`1}{, xrefs: 00A02E08
35g;, xrefs: 00A03DC8
;Na, xrefs: 00A031A4
,n?^, xrefs: 00A02D3B

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: ,n?^$35g;$;Na$`1}{$$8
API String ID: 0-1605665711
Opcode ID: 2207c025cc756e5fcacd31b886b952415d8f3b3604433450d268d6c71f8dbf83
Instruction ID: 73a93c2470414ba7cf26c41cf935941963444d429c44716b3ab17d9b96b9ddcd
Opcode Fuzzy Hash: 2207c025cc756e5fcacd31b886b952415d8f3b3604433450d268d6c71f8dbf83
Instruction Fuzzy Hash: A5B2D5F390C2009FE704AE29EC8567AB7E9EF94720F16893DEAC5C7744E63598048797

Function 008312F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 0083243E
i, xrefs: 008328EA
0, xrefs: 00831DC1
@, xrefs: 00833531
0, xrefs: 00831E88

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 7a3787739698ba7d5669328205ae127c9ad207b5a3824a3da617dd665a82926a
Instruction ID: bedd6a42b0be9bd4367d668fc46e442197f60c88f9f2884d07502348336a7c59
Opcode Fuzzy Hash: 7a3787739698ba7d5669328205ae127c9ad207b5a3824a3da617dd665a82926a
Instruction Fuzzy Hash: E962ED7160C3818BC718CE28C49476ABBE1FFD5718F188A6DE8D9C7291E774D949CB82

Function 0083164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

gfff, xrefs: 00831F57
+, xrefs: 00831573
0123456789abcdefxp, xrefs: 00831659
0123456789ABCDEFXP, xrefs: 0083164F
gfff, xrefs: 00831F3C

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: bb2388c340cd17e4d5e32bc9328b2a7e2f5846c950322d89684e3346e40f59c1
Instruction ID: 1cab957f49c39f0110d4c4d42aee7ca821a96865c5264d33e425ea02cca100b5
Opcode Fuzzy Hash: bb2388c340cd17e4d5e32bc9328b2a7e2f5846c950322d89684e3346e40f59c1
Instruction Fuzzy Hash: 3AF19E3160C7918FC719CE29C48426AFBE2BBD9308F188A6DE4D9C7356D734D949CB92

Function 008313A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

gfff, xrefs: 00831F57
-, xrefs: 00831F23
0123456789abcdefxp, xrefs: 008313AD
0123456789ABCDEFXP, xrefs: 008313A3
gfff, xrefs: 00831F3C

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 48a914e26c07764238ad3314fb53168a4a01cf3b73fc1ee801033d05aaf76f92
Instruction ID: 547e5515a55aa93ff8b9ee326cd0909280ac48fc4c0f5b934af219ca507b43c7
Opcode Fuzzy Hash: 48a914e26c07764238ad3314fb53168a4a01cf3b73fc1ee801033d05aaf76f92
Instruction Fuzzy Hash: 3AD17C3160C7818FC719CE29C48466AFBE2BBD9308F08CA6DE4D9C7356D634D949CB92

Function 009FFE45 Relevance: 5.9, Strings: 4, Instructions: 920COMMON

Download Yara Rule

Strings

N(], xrefs: 00A00292
f _y, xrefs: 00A006DE
v{O_, xrefs: 00A002B7
"y?, xrefs: 00A002E6

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: "y?$f _y$v{O_$N(]
API String ID: 0-2644501748
Opcode ID: 09c4a1ea4231f10b0ea1d78b37a8bd80bf8b96c457d61bca7ab24178bb131be8
Instruction ID: 696c398b780cb7daf414fcd678c76bf8cea04637a32892ad049848b7f0621e58
Opcode Fuzzy Hash: 09c4a1ea4231f10b0ea1d78b37a8bd80bf8b96c457d61bca7ab24178bb131be8
Instruction Fuzzy Hash: 6452C3F36086049FE304AE2DEC8576AF7E5EF98720F1A893DE6C4C3744E63599018697

Function 0085FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 0085FE95
:, xrefs: 00860087
NA_I, xrefs: 0086036D
m1s3, xrefs: 0085FEC3, 0085FECB

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: aaf28f51e5895b6e9dfcdfd14bf7b9cf7ab752e52e8845557fa366b78df7e15c
Instruction ID: b35b765a0d17a035ee4a63bd0a7e781f52e3faa2bcdb31115b0a222dfe0c380f
Opcode Fuzzy Hash: aaf28f51e5895b6e9dfcdfd14bf7b9cf7ab752e52e8845557fa366b78df7e15c
Instruction Fuzzy Hash: 4F32A4B0508380CFD715DF28D884A2BBBE5FB8A304F158A6CE5D58B2A2D735D905CF96

Function 00843BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

ss, xrefs: 00843C79
;z, xrefs: 00843C87
%*+(, xrefs: 00843EC4
p, xrefs: 00843C80

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: ca9f3c483fd50d988a410f98770d01f0d0afad827b31c6ef4358f33d2b73d437
Instruction ID: b6a54239c81c557ebff2145e63c58f96884746eecddccd437a83c1723f317209
Opcode Fuzzy Hash: ca9f3c483fd50d988a410f98770d01f0d0afad827b31c6ef4358f33d2b73d437
Instruction Fuzzy Hash: B6024BB4810B00DFD760EF28D986756BFF5FB05300F50895DE89A9B696E331E419CBA2

Function 00852260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

lc, xrefs: 00852507
sj, xrefs: 00852327
a|, xrefs: 00852317
hu, xrefs: 0085232F

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 8fa79acb20f3555e42fa9380d95928463f38da47c7f173f90136feb3a1822ffb
Instruction ID: a3f1af2634df99629811c4f2ef546a1cc1e58075123808104b064548b8919894
Opcode Fuzzy Hash: 8fa79acb20f3555e42fa9380d95928463f38da47c7f173f90136feb3a1822ffb
Instruction Fuzzy Hash: 39A19C744083418BC720DF18C891A2BB7F0FFA6355F589A0CE8D59B3A1E739D949CB96

Function 0085D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

#', xrefs: 0085D9EA
T>, xrefs: 0085D984
KV, xrefs: 0085D97D
CV, xrefs: 0085D98B

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 0f302d7ba15ad382e235e819229cc2902c686bbecc94947a20ffe754fca8a748
Instruction ID: 37c34fbc896c0008b9a5b7b6bd52133be426ee3617651a81a0424358f331f218
Opcode Fuzzy Hash: 0f302d7ba15ad382e235e819229cc2902c686bbecc94947a20ffe754fca8a748
Instruction Fuzzy Hash: 758145B48017459BCB20DF95D28515EBFB1FF12301F605A0CE886ABA55D330AA55CFE2

Function 0085AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 0085AD07, 0085AD13
lk, xrefs: 0085ACBC
4c2a, xrefs: 0085ACA9
(g6e, xrefs: 0085ACA1

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: dccb822672a9c770f35dc602cb9480ad426a0e753d50ebd45193ec6d9680bd58
Instruction ID: 011b44cc134de4a08a83f3ca120e6edcf835240e58b20028d5ccb5dc3cca4cfc
Opcode Fuzzy Hash: dccb822672a9c770f35dc602cb9480ad426a0e753d50ebd45193ec6d9680bd58
Instruction Fuzzy Hash: FE4185B4408381CADB209F24D844BABB7F4FF86306F54995DE9C897220EB31D949CB96

Function 0085C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 0085C537
%*+(, xrefs: 0085C9E4, 0085C9ED
%*+(, xrefs: 0085C8C3, 0085C8CB

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: d1daff7e5bcd2854f34106b4041a0d210e5c333a900a5b3709b126bb2fa0ff43
Instruction ID: b5896d5ebeda41263f2924c2f7e72d6bc910dacc4d185213f14ce5daf5fe1a95
Opcode Fuzzy Hash: d1daff7e5bcd2854f34106b4041a0d210e5c333a900a5b3709b126bb2fa0ff43
Instruction Fuzzy Hash: 93E185B5508344DFE720DF28D885B2ABBE9FB95345F48882CE5C98B251EB31D815CF92

Function 00838590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 0083860C
), xrefs: 00838616
IEND, xrefs: 008389F0

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: b6b80ff81488f9515c0e45a3c1f8fa4e5ab07514a42ad6f4728ac96215da7500
Instruction ID: 29d2955c39876fb4cfab3e643493506bcc37ed5d81c1fc9f6e084c6ffc893d23
Opcode Fuzzy Hash: b6b80ff81488f9515c0e45a3c1f8fa4e5ab07514a42ad6f4728ac96215da7500
Instruction Fuzzy Hash: 59E169B1A087059FE310CF29C88572ABBE0FB94314F144929F999D7391EB75E915CBC2

Function 00A07B49 Relevance: 4.1, Strings: 2, Instructions: 1634COMMON

Download Yara Rule

Strings

qk[, xrefs: 00A08636
icPg, xrefs: 00A08458

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: icPg$qk[
API String ID: 0-705723275
Opcode ID: 67fa57c8c54c2cdd1fb2bdd57e228f1da439b131f52f44c8d833c181cac0cbaf
Instruction ID: ef785fc7132962e882f90876f88210e1891c46eb12104a738f3bba9f199e826c
Opcode Fuzzy Hash: 67fa57c8c54c2cdd1fb2bdd57e228f1da439b131f52f44c8d833c181cac0cbaf
Instruction Fuzzy Hash: 4EB208F350C2049FD3046E2DEC8567AFBE9EF94720F1A4A2DEAC4C7744EA3598418697

Function 008F7DB5 Relevance: 4.0, Strings: 3, Instructions: 224COMMON

Download Yara Rule

Strings

>.Y, xrefs: 008F7E64
_#gF, xrefs: 008F7F08
_#gF, xrefs: 008F7F3B

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: >.Y$_#gF$_#gF
API String ID: 0-2981865154
Opcode ID: ea632c4cc7bdb2a1b1747d4d968e6858a8ce0ca45934f060801ab5309fea8a0c
Instruction ID: a21605a1527d846a8ef144686bbe825d0579ab58af5aa9888e877d08a15b3085
Opcode Fuzzy Hash: ea632c4cc7bdb2a1b1747d4d968e6858a8ce0ca45934f060801ab5309fea8a0c
Instruction Fuzzy Hash: CD61F5B3A087005FE308AE79DDC5B3AB7DAEBC4320F26C53DE58893748E97958058695

Function 00874040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 008740A4, 008740AD
f, xrefs: 0087420C

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 823659124295761ffb69441ba41ec4122f7cb65d562a04ceffb94030a501c3a3
Instruction ID: 19f4997cbdb73c7a79ccf450c6395137719127fd8542a883b0373c963c19fe63
Opcode Fuzzy Hash: 823659124295761ffb69441ba41ec4122f7cb65d562a04ceffb94030a501c3a3
Instruction Fuzzy Hash: 531299716083419FC714DF18C880B2ABBE6FB89318F58CA2CF499DB295D735E945CB92

Function 0086F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 0086F6E6
dg, xrefs: 0086F7F5

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: ecd17d5ab89f9fee45c302f111d9c8f620bb795f0cfdd1914c58f89a31edb130
Instruction ID: 42837c8ea1d49bb604f6b22b0ecb1ef774e27fda89cc855732a63a4d2a88f670
Opcode Fuzzy Hash: ecd17d5ab89f9fee45c302f111d9c8f620bb795f0cfdd1914c58f89a31edb130
Instruction Fuzzy Hash: 76F18571618341EFE714DF28D891B2ABBE6FF86344F15992CF2858B2A2C734D845CB12

Function 008335B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00833607
NaN, xrefs: 0083360E

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: fb656dff7b375fb333b3401e5efae5957298bfd4fa0669b29ae879e398ef42ef
Instruction ID: 12f86ba81f48b2241c4602a29d5e273262c8b62af5e21d18161939e82877ab12
Opcode Fuzzy Hash: fb656dff7b375fb333b3401e5efae5957298bfd4fa0669b29ae879e398ef42ef
Instruction Fuzzy Hash: FED1D1B1A087119BC704CF69C88061ABBE1FBC8750F258A3DF999D73A0E675DD058BC2

Function 00A060DF Relevance: 2.8, Strings: 1, Instructions: 1600COMMON

Download Yara Rule

Strings

=E~?, xrefs: 00A06793

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: =E~?
API String ID: 0-1385089294
Opcode ID: 12a911bff2b518ffe4de49715ae987b9117c9ff0702c1e7a82153742c089ea3f
Instruction ID: 094130230610184b92c3ec807ef6b457f757f3c3399cd1f9d2a8be829dbb0d16
Opcode Fuzzy Hash: 12a911bff2b518ffe4de49715ae987b9117c9ff0702c1e7a82153742c089ea3f
Instruction Fuzzy Hash: 23B248F3A0C2049FE7046E2DEC8567ABBE5EF94720F1A463DEAC4C7744EA3558058687

Function 0084FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 008500F6
BaBc, xrefs: 00850197

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 5af52445e9d3b6c2f60cb1bc1e9b0c3cbbb546275e1c71c559f9b2012783de21
Instruction ID: b686ad76e4b2a9ac0eb63e7575a77ca2532159172a2815f8a885ce923a3d9256
Opcode Fuzzy Hash: 5af52445e9d3b6c2f60cb1bc1e9b0c3cbbb546275e1c71c559f9b2012783de21
Instruction Fuzzy Hash: F851BBB16083858BC331CF18C881BABB7E0FF96351F08491DE89ACB691E3749948CB57

Function 009BA62F Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

!\7, xrefs: 009BA757
XSm_, xrefs: 009BA736

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: !\7$XSm_
API String ID: 0-4260958980
Opcode ID: 1d54d0ad6238232373c89a9dfd1a9463865e53f024f559000329451071ee6dfc
Instruction ID: b0d4cfdfa400f0623805fc0ccb579a7114c8ef71672c8b8dcc584ffba8204828
Opcode Fuzzy Hash: 1d54d0ad6238232373c89a9dfd1a9463865e53f024f559000329451071ee6dfc
Instruction Fuzzy Hash: A54146F3E2822C5BE3186AA8DC543B2B799DB84360F1A423DEE99D7784FC255C0582C5

Function 00835160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 008354C8

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 6e081a2260bd316014c0437c79a2d50808aa613c65ebf0a08f2b9536601869e8
Instruction ID: 32c2953676a4a9d15a6ed7c74734e77e2feea36679697f0a28b9ec91e8e782f8
Opcode Fuzzy Hash: 6e081a2260bd316014c0437c79a2d50808aa613c65ebf0a08f2b9536601869e8
Instruction Fuzzy Hash: F222C0B6A08B468BE7258E18D940327BBA2FFE1318F19856DD899CB351E771DC05C7C2

Function 008612D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 008615D1

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 4630355093229ed0ed3ccf4caa8ae9d517091bb8e0f908e2f1d3e4dc4815586c
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 1FF12571A083454BCB24CE28C49962BBBE6FBD1354F1EC56DE89AC7383DA34DD058792

Function 0085AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0085B2D3, 0085B2DB

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 353c4919b2085a80c6aa8fda7988e6eb4486746a99d0300258df670523b72519
Instruction ID: 3ee601895b33b291d6416272b9ec111ad43f5d302598bca2f508c86e553bca17
Opcode Fuzzy Hash: 353c4919b2085a80c6aa8fda7988e6eb4486746a99d0300258df670523b72519
Instruction Fuzzy Hash: 33E1B975508706CBC724DF28C89056FB7E2FFA8792F548A1CE8C587260E731E959CB92

Function 00846EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00846EF3

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b020ca9083a1bdc45f769a7bc208b368cc19fd0486d7537629432874f1de2394
Instruction ID: 42f16873f67013bd01ceb2061c7a647c73a618abd807587a8300a4ce9d8e8f0d
Opcode Fuzzy Hash: b020ca9083a1bdc45f769a7bc208b368cc19fd0486d7537629432874f1de2394
Instruction Fuzzy Hash: AAF18FB5A00609CFD7259F28D881A26B3F2FF89314B14892DD597C7692FB31F865CB42

Function 00857E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00858263, 0085826B

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5b90b73f740503fd2b782decb5fe95d07873fda90967d3f0afef7f78ea1bc722
Instruction ID: 1d3b53705de77721fd386032f83dd26a716736a39be7bf1c6b342b015bb413d0
Opcode Fuzzy Hash: 5b90b73f740503fd2b782decb5fe95d07873fda90967d3f0afef7f78ea1bc722
Instruction Fuzzy Hash: 53C19BB1508200EBD710AB18D882A2BB7F5FF95756F088819F8C5E7251E734EC09DBA3

Function 00858D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00859233, 0085923B

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 8e903332017e5b5fbf024ac3d8ae005bb0d294a9876812f10c261c3bf93a104f
Instruction ID: ba616f6f5c4bb0e7d61d662465203836c7d09f07d0bfd21c676f49c032589902
Opcode Fuzzy Hash: 8e903332017e5b5fbf024ac3d8ae005bb0d294a9876812f10c261c3bf93a104f
Instruction Fuzzy Hash: 14D1BB70618302DFD744DF68D890A2AB7E6FF88315F49896CE886C7291D734E958CF52

Function 00877FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00878167

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 3f77df25a5e343e1227c99c8c8269245ceb99dfb6e1ea6c73efdb14f006bdc04
Instruction ID: a1de12d1e70765d07445490176c6c5d13b9d66c9b915f84605fdc08b2f29c23a
Opcode Fuzzy Hash: 3f77df25a5e343e1227c99c8c8269245ceb99dfb6e1ea6c73efdb14f006bdc04
Instruction Fuzzy Hash: CED1E3329483658FC725CE18989471EB6E1FB85718F19C62CE9B9AB388CB71DC46C7C1

Function 0085CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0085CDC3, 0085CDCB

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: b769f70945ab8d97033364d7e863df191a72b73ac85aab9e1d3d866442b89fc1
Instruction ID: ab4670507343e2e17cec3742b99c3939e6e354ef4dc4b4009c6f2dfb91aecb0d
Opcode Fuzzy Hash: b769f70945ab8d97033364d7e863df191a72b73ac85aab9e1d3d866442b89fc1
Instruction Fuzzy Hash: 67B1DD706083058FDB14EF18D881A2BBBE2FF85346F14492CE9C5DB291E735E859CB92

Function 0083A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 0083A9C3

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 997e9e4493884cb2a2a6e3e9e828ef3ca5f0f9a77238f4b0ff077610bfdda259
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: DCB106712083859FD325CF18C88061BFBE1AFA9704F448E2DE5D997742D671EA18CBA7

Function 0086FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0086FCA4, 0086FCAD

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 966fac07abc2284287b07e5e55a0bc0b23839bf26c692fb02d8063b69e69947d
Instruction ID: 1b2148672eceb485e2cd3990c30a349f34998802a6a9010c5e6045c8ee0d6fa0
Opcode Fuzzy Hash: 966fac07abc2284287b07e5e55a0bc0b23839bf26c692fb02d8063b69e69947d
Instruction Fuzzy Hash: 7A81CC70118304EBD710EF68E885B2AB7E5FB99745F05882CF689D7292DB31E814CB63

Function 0084D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0084D663, 0084D66B

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: c1bbefb756d21d3da10066a25614401bef827046e5667c78e0b50a42077d7bb1
Instruction ID: 9722744601b0379851a76257268d7462bf24fd1c2914f476467f2a5ba2ca164f
Opcode Fuzzy Hash: c1bbefb756d21d3da10066a25614401bef827046e5667c78e0b50a42077d7bb1
Instruction Fuzzy Hash: F161D1B6908318DBD710EF18DC42A2AB3B4FF95354F09492CF985DB252E731D915CB92

Function 00874A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00874C33, 00874C3B

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 72ce7a4b3316a15657dc02ed57e18dde1b59e1a98f1bf6b78e6113a734dd2a78
Instruction ID: 5c015e816b637575a51e05fbd716a887c6ce4ada8b7c4c2284344c3e085380c1
Opcode Fuzzy Hash: 72ce7a4b3316a15657dc02ed57e18dde1b59e1a98f1bf6b78e6113a734dd2a78
Instruction Fuzzy Hash: C661CD716083059BD711DF69C880B2AB7E6FBC4324F28D91CE599C72A9D771EC50CB92

Function 008B944F Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

|}, xrefs: 008B94A5

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: |}
API String ID: 0-3231092668
Opcode ID: 662a74c33a22273b141a65ace8c72edd9f2b5528fad7382302a94321f83fb703
Instruction ID: 15e25506e22e4cb3c28de4c59a5f49b106b12c7bb975310aba6deb9ffd72e5b2
Opcode Fuzzy Hash: 662a74c33a22273b141a65ace8c72edd9f2b5528fad7382302a94321f83fb703
Instruction Fuzzy Hash: 4A5163F3E182041BF308593EDC557AAB6DAD7D4320F2B823CEA99D3BC8E8795D020195

Function 008FBA61 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

h^F, xrefs: 008FBAB0

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: h^F
API String ID: 0-3592163217
Opcode ID: 9e246f3c6ed10c50a5f4d276454172cb5a648b1feeeb6c4e40abf8193cbd232c
Instruction ID: 051d66493b71f0479e16720e12613525c1f379f16bebcfe0db939ecce30d30c8
Opcode Fuzzy Hash: 9e246f3c6ed10c50a5f4d276454172cb5a648b1feeeb6c4e40abf8193cbd232c
Instruction Fuzzy Hash: 215189B37597042FF3006929EDC477BB7DAEBD4720F5AC63DE680C2748D53A48468292

Function 0083E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0083E333

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 66b468e35e1d724b005968ee5a6ef7591ba5b9db31301e0113fb577cdce05db5
Instruction ID: b2dc99f0283128c62290a282c0c1558b6fc6cddf810a687e611b7aa7313ea9bf
Opcode Fuzzy Hash: 66b468e35e1d724b005968ee5a6ef7591ba5b9db31301e0113fb577cdce05db5
Instruction Fuzzy Hash: C4511523A196948BD328893C8C552AA7A876FE2338F2D8769E9F5CB3E5D555880483D0

Function 00873920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 008739E3, 008739EB

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: fd907a4dd05851ada5be5b27f1740ee79a4911dd0d1f32b837c8f53aaab8a3d5
Instruction ID: 11bedfbe8fbfe37877228193a0e56744d040a04842a95c7e329af19f846db4f4
Opcode Fuzzy Hash: fd907a4dd05851ada5be5b27f1740ee79a4911dd0d1f32b837c8f53aaab8a3d5
Instruction Fuzzy Hash: 69519E306096109BCB24DF19D881A2AFBE5FB86748F18C82CE4CAC7255D372DD10EB63

Function 00962AE5 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

l.oo, xrefs: 00962C53

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: l.oo
API String ID: 0-1561327596
Opcode ID: d4deb9707396647c93a4c3b7cdb95c374893949187b156fcab478fd208429c5a
Instruction ID: 8a7fc2f563761593064a05880e2637985a7ee01533198419b8c7323c499eabac
Opcode Fuzzy Hash: d4deb9707396647c93a4c3b7cdb95c374893949187b156fcab478fd208429c5a
Instruction Fuzzy Hash: 114136F3A583089FE304BA3CEC9573AB7D9EB54710F19052DE685C7785E938A8014796

Function 00841BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00841C3E

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: e8e1235453f3cd33cfb506fbb8ee3b0ddb438665f6c35ee919ed6615019b1d1c
Instruction ID: ba86fc6af96d1f273621db5716bc7234c37cf2e3647ba554e1d307bd4c7ad110
Opcode Fuzzy Hash: e8e1235453f3cd33cfb506fbb8ee3b0ddb438665f6c35ee919ed6615019b1d1c
Instruction Fuzzy Hash: 0C414FB44083889BCB149F28D898A2FBBF0FF86714F04991CF5C59B291D73ACA45CB56

Function 0086FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00870033, 0087003B

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f59ab20030513e458ab9d9cc997705d70ed6d9f38dd425a8c2db9128bd3cadf0
Instruction ID: 23da11ae0868a01e07d27849c952596468d9a8f243c237903ca23ef7cc734e60
Opcode Fuzzy Hash: f59ab20030513e458ab9d9cc997705d70ed6d9f38dd425a8c2db9128bd3cadf0
Instruction Fuzzy Hash: 963103B5908305EBD610EA58DC81F2BB7E8FB81758F148828F889D7256E731DC10CBA3

Function 0085E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0085E6A2

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: f92b21e1b81036ae7688dfb7347ea6fba8bbc050aebccc7021a20669fc79b899
Instruction ID: 87fca80ee6ad3e925f8411d843e127d966c731b2a09a6dc9a681ff30eb4c2628
Opcode Fuzzy Hash: f92b21e1b81036ae7688dfb7347ea6fba8bbc050aebccc7021a20669fc79b899
Instruction Fuzzy Hash: 4331E4B5900204CFCB20CF98EC845AFFBB9FB5A745F540468E846E7301D735AA09CBA2

Function 00846F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0084703B

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 672f8545e47b2430e4fe103d40b99027d2891293ec30804835b0092eba3b191c
Instruction ID: 65f62cad8984a77f5a7b353079eea812b6018fc8de87491a75cb4a44f0eb8289
Opcode Fuzzy Hash: 672f8545e47b2430e4fe103d40b99027d2891293ec30804835b0092eba3b191c
Instruction Fuzzy Hash: 70414475206B08DBD7348B65D994B26BBF2FB49705F148818E68A9BAA1E331F8108B10

Function 0085E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0085E6A2

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: a02b7a37adebe80a960ea4e63239921e67d0e1354ebfb802bd769a1339959ee5
Instruction ID: 710cbf0e3dfdc9b86dbe0be0a1f45d5f6836de22268241f7aafc29519396d0bc
Opcode Fuzzy Hash: a02b7a37adebe80a960ea4e63239921e67d0e1354ebfb802bd769a1339959ee5
Instruction Fuzzy Hash: 4B21BFB5900204CFCB24CF98DD8456FBBB9FB5A745F540858E846EB301C335AA05CBA2

Function 00879CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00879D30

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 7dc4793604440f2bdfe9bb1907d00c686033ffe181df2e291670d33bc1f18c72
Instruction ID: 7c25f7aecff3166cbeb06358d33acafb26ec87f1ea623471f29440e007898d5a
Opcode Fuzzy Hash: 7dc4793604440f2bdfe9bb1907d00c686033ffe181df2e291670d33bc1f18c72
Instruction Fuzzy Hash: 393158705093009BD324EF19D880A2AFBF9FF9A354F14C92CE5C997255D375D904CBA6

Function 00844E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff8487ec3963292824edb481c4dfdd1133764d4a2bd7c3fa141a6745aeabc9a
Instruction ID: 5389299c2683252a0b33126eac8ad0f0ef2522416d478e577c46b325d81a29dc
Opcode Fuzzy Hash: eff8487ec3963292824edb481c4dfdd1133764d4a2bd7c3fa141a6745aeabc9a
Instruction Fuzzy Hash: ED6246B4500B048FD725CF28D980B2AB7E5FF56704F54892DD49ACBA52E774F848CB91

Function 0083BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: c5498a8937cf5577327fbee4ba91eac881f92fde734a3541805d356cfce28ac4
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 4652E7329087158BC7259F1CD8402BAB3E1FFD5319F298A2DD9C6E7290E735A851CBC6

Function 00878652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4ab128ddc231c86b8ff2a3ae67c150b9bdb5224a9c193a3b8edc745afa1631
Instruction ID: d644cd2e8251ff4f370d5abf42ef3ba4ab427d93f50f8be8985e87f91e853564
Opcode Fuzzy Hash: 7e4ab128ddc231c86b8ff2a3ae67c150b9bdb5224a9c193a3b8edc745afa1631
Instruction Fuzzy Hash: 0C22983A618342DFC704DF6CE89062ABBE1FB8A315F09896DE589C7361D735E950CB42

Function 008786F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a57be06e31f04ac0f85ae9cf3e9bfa4e911e93ea5692e4cf5a671bcf764e42
Instruction ID: 2cee5f6a8d4770651e744e9bffc31d855bcd7a560673f8cab953c0908c1afdb8
Opcode Fuzzy Hash: b5a57be06e31f04ac0f85ae9cf3e9bfa4e911e93ea5692e4cf5a671bcf764e42
Instruction Fuzzy Hash: 1D228836618342DFC704DF6CE890A2ABBF1FB8A315F19896DE58987361D735E850CB42

Function 0083B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090a1bd11e5e7210e1e0ae7b7490d8ac22405ab53652e4b5f5895daa17c53755
Instruction ID: 79e3818cd0cfa50e6372671002a29e4b421484406755f0b35fc86aab63f3125d
Opcode Fuzzy Hash: 090a1bd11e5e7210e1e0ae7b7490d8ac22405ab53652e4b5f5895daa17c53755
Instruction Fuzzy Hash: 715282F0908B888FE735CB24C4847A7BBE2FFD1314F14492DC6D686A82D779A985C791

Function 008371F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3344a16b2b9834d31171b00b04e7f55ded3b4098a275dea222d6d0da20f62c
Instruction ID: 6933d0c54a498a47b47cb72f56e98664b54109e3deb54698b68ed7154edaa247
Opcode Fuzzy Hash: 7c3344a16b2b9834d31171b00b04e7f55ded3b4098a275dea222d6d0da20f62c
Instruction Fuzzy Hash: A85290B150C3498FCB25CF29C0906AABBE1FFC8318F198A6DE89997351D774D949CB81

Function 00838FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3486b3b8a9733b081ff0d711ed8b227af830d617a37ca69863f6560c146c26
Instruction ID: a6f0416ed1d7657797d9b819f8f26a0d373afd1d023c296e096b6bb051f7d24e
Opcode Fuzzy Hash: 6c3486b3b8a9733b081ff0d711ed8b227af830d617a37ca69863f6560c146c26
Instruction Fuzzy Hash: A7425375608301DFD718CF28D85476ABBE1FB88315F0988ACE8998B3A1D775D985CF82

Function 00837BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf7294fc9b10a30fc16f8b952bbbe25e25e5aeaecdb48808fc37fc3e1672120
Instruction ID: f4a96aa4d272f7be861fc265eed10d513194512f11cbe2b006bfc340b6b1d0f2
Opcode Fuzzy Hash: aaf7294fc9b10a30fc16f8b952bbbe25e25e5aeaecdb48808fc37fc3e1672120
Instruction Fuzzy Hash: AF3201B0515B158FC378CE29C59052ABBF1FF85710B604A2EE6A787B90DB36F845CB90

Function 008789A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8913463900f2a1f40480525e726d3526b13e98688e25c2b2a343a743b9ee8376
Instruction ID: 3ee80afa2eb4f57ff94a960596ef0a62bb30af980ea3fc5d7e9060980b97048f
Opcode Fuzzy Hash: 8913463900f2a1f40480525e726d3526b13e98688e25c2b2a343a743b9ee8376
Instruction Fuzzy Hash: CB02873560C242DFC704DF6CE880A1ABBE1FB8A315F09896DE5D987361D736D854CB92

Function 00878A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5c338ee5ee00aaa22eefce8da8d6983c85ff8249ec852abfd2847e24756e9b
Instruction ID: bd7bf912bba39ecb87561871cfa071e31637392e3b1af8046a9e7aa476828f34
Opcode Fuzzy Hash: af5c338ee5ee00aaa22eefce8da8d6983c85ff8249ec852abfd2847e24756e9b
Instruction Fuzzy Hash: 91F1553560C241DFC705EF6CE880A1ABBE1FB8A315F09896DE4D9C7262D736D914CB92

Function 00878C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7dcd5265033f5f1989ff28ca5d943eb081d8c5a6c2395454b15b693bd8c7ef4
Instruction ID: 4912edffd4354cb92e0e5be2e1e24d37320e9564f73de6d0f96e9fab3b91e527
Opcode Fuzzy Hash: d7dcd5265033f5f1989ff28ca5d943eb081d8c5a6c2395454b15b693bd8c7ef4
Instruction Fuzzy Hash: D7E16836618241CFC704DF2CE88062ABBE5FB8A315F09896DE5D987361D736E914CB92

Function 0083A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 9f1218a524c693dc7fce264f45551c808d0e22275536b29abb11d94ba96730f5
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 16F19A766087458FC728CF29C88166ABBE6FFD8300F08882DE4D5C7751E639E945CB92

Function 00878E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ae211b7cd698f9ae63d38c26b47287692f8cc197c20cda93fe9547dd580521
Instruction ID: 623321ebdd90b3058188f95075bffd477f03853cc354703f235a62872b7bdf06
Opcode Fuzzy Hash: b2ae211b7cd698f9ae63d38c26b47287692f8cc197c20cda93fe9547dd580521
Instruction Fuzzy Hash: A0D1783561C281DFD705EF28D880A2ABBF5FB8A315F09896DE4D987252D736D810CB92

Function 00844487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3733950d695fe5e31c5ec44443cfbb78b769eab17129f82b8453394f914426ae
Instruction ID: c7b49307c8f71046911048b7d1b03e241d6d26d8eb163282d28edf3afdfaff76
Opcode Fuzzy Hash: 3733950d695fe5e31c5ec44443cfbb78b769eab17129f82b8453394f914426ae
Instruction Fuzzy Hash: 34E10FB5601B008FD321CF28D996B97BBE1FF06704F04886CE4AACB762E775B8148B54

Function 00876CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f476750466dac067d0ce751d58508b2ec2dde5744cad07b5c11ec6719fea11c1
Instruction ID: d31658e706696811f2a1202241dd21317f470479f46c866bb6f15da361c78f21
Opcode Fuzzy Hash: f476750466dac067d0ce751d58508b2ec2dde5744cad07b5c11ec6719fea11c1
Instruction Fuzzy Hash: 4AD1BB36618755CFC714CF2CE88052ABBE2FB89314F098A6CE895D73A1D735DA44CB91

Function 00877AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4968e17da54b21faea8ac8ed1c95688a5747a590e6553eabd63c88ee314130d
Instruction ID: b9d53f37591adcb6bbfdc3391eff11a5380bda3f496b6a8d85bc5cace7e758fe
Opcode Fuzzy Hash: b4968e17da54b21faea8ac8ed1c95688a5747a590e6553eabd63c88ee314130d
Instruction Fuzzy Hash: BDB1F4B2A083504BE324DA68CC4576BB7E5FBC9314F08892DE99DD7396E635DC04C792

Function 0083AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: dedd4160be3251b1ae3d5362ee811ac6cee5c908dd21cf1ef1293314f109a47b
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 73C15CB2A087458FC360CF68DC967ABB7E1FF85318F08492DD2D9C6242E778A155CB46

Function 00846536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54058d2782e8456ebd853abb3969cb4fea73d6d25f9151172d1c6292f9c76a9
Instruction ID: 2ed26a0e789f32eaff6b648344b8241363ce950dbd77a6173bf2fce554cc4121
Opcode Fuzzy Hash: e54058d2782e8456ebd853abb3969cb4fea73d6d25f9151172d1c6292f9c76a9
Instruction Fuzzy Hash: 2DB110B4600B448BD3218F28C981B27BBF1FF46704F14885CE8AA8BB52E735F815CB56

Function 00877710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 35ea900e8b57b120dc331af3198f4bea4e2e1e65a991799275bc8f1f9bdc3d98
Instruction ID: c3770ffdcc3facdd76828e6f7c3cdd775cd25f99a2a4501c1eb64091f9bf4daa
Opcode Fuzzy Hash: 35ea900e8b57b120dc331af3198f4bea4e2e1e65a991799275bc8f1f9bdc3d98
Instruction Fuzzy Hash: DA916971609301ABE720DA28D880B6BBBE5FB85354F548828F999D7356E730E950CB92

Function 0087A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c8789d03262a2cf82f3b4bc04293cc4312106347ccb337765ab60f2f8e5430
Instruction ID: da3313e9c93f8e80cdfe2d0766a760997351eaf046b58ae66de15317d19baac2
Opcode Fuzzy Hash: 20c8789d03262a2cf82f3b4bc04293cc4312106347ccb337765ab60f2f8e5430
Instruction Fuzzy Hash: 5F816C342087058BD728DF28D880A2EB7E5FF89754F55C92CE58AC7256E731E8508B93

Function 008664F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cda9a6b09980f66e0f879808862c3ad3f14234dc1b1a79955473acc40a802ec
Instruction ID: 264f4943c06224a94554892a529d59ac263b403f4c2bf8df3fa8ca897b68f569
Opcode Fuzzy Hash: 1cda9a6b09980f66e0f879808862c3ad3f14234dc1b1a79955473acc40a802ec
Instruction Fuzzy Hash: 3171E833B19AD047C3148D7C9C86395AA53ABE6338F3EC379A9B5CB3E9E5258C154341

Function 008528E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe8eba5bd8c8742cee53613e58703c54b9dc3713d7af07a33825506ea0a70dd
Instruction ID: 44f8389278b1b4c2b05badbb2a8b6feb49af73cfc6c6930faeffe5b19ba4fe9c
Opcode Fuzzy Hash: 9fe8eba5bd8c8742cee53613e58703c54b9dc3713d7af07a33825506ea0a70dd
Instruction Fuzzy Hash: 996186B44083508BD310EF18D841A2ABBF0FFA6756F18491CF8C59B261E739D918CBA7

Function 00857C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecc88af9f400cd19a002581edd2596945e9bf96cdc7467f682db57fadc32f9b
Instruction ID: 65da1adeb77655397fc8a6437a9c4ca0b8737966fb3c0ba3ed8067c3de253a40
Opcode Fuzzy Hash: 0ecc88af9f400cd19a002581edd2596945e9bf96cdc7467f682db57fadc32f9b
Instruction Fuzzy Hash: D451BDB1608205ABDB209B24DC82B7733B4FF85769F148958F985CB291F375EC09C762

Function 00922935 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d058ae42c7d22dad2b557920cd93f0558e0b9e06a12e665b8ea2adda24ebbc9
Instruction ID: 1922b441295b8aff079bce153c2ca51d6bb76e8a56a0bd4ca67fe39c2d9c15c6
Opcode Fuzzy Hash: 6d058ae42c7d22dad2b557920cd93f0558e0b9e06a12e665b8ea2adda24ebbc9
Instruction Fuzzy Hash: AC6103F3E087089FE3086E29DC5577AFBE9EBA4710F170A3DD6C583780EA7958058642

Function 00861860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 9349aa2f68d6870fb6376c0fa6724dca105b2858b114ca423f996fb47750afdf
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 7061DC31609325ABDB14CE68C58832EBBE2FBC5351F6EC92DE489CB252D670DC819741

Function 008682D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63833ca15f88b79908a718b3cc226155817f4d86ffd800f127705b866435e601
Instruction ID: bb6a35582cfc7b554befa20a32c3a10cebcd74aba50bc58de80dc54a1c243971
Opcode Fuzzy Hash: 63833ca15f88b79908a718b3cc226155817f4d86ffd800f127705b866435e601
Instruction Fuzzy Hash: 7C614A23A5AA90CBC314453D5C5A3A66A83BBD6338F3FC36998F9CB3E4CD6988414341

Function 008442FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d93c6bf2c1afddc10f7542029ea2762c4b34feaedfe9a3837af6ef49b3df778
Instruction ID: a83dc173eb636817fb80fc823d03030557dc584b5e6a981e72be37ed1b41f817
Opcode Fuzzy Hash: 9d93c6bf2c1afddc10f7542029ea2762c4b34feaedfe9a3837af6ef49b3df778
Instruction Fuzzy Hash: 7A81BDB4810B00AFD360EF39D947757BEF4FB06201F504A1DE4EA96695E730A4598BE3

Function 0086E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 8f437d4cf52040162ced84bd2649b2d373d9dd822f81706766850e86ece8ecde
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: A4517CB56083548FE314DF69D89435BBBE1FB85318F054E2DE4E983350E379DA088B82

Function 00877520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4db97df31f7dabae67e96dab0b003c2315a5e7ba221be18b431793d60889a54
Instruction ID: 5c8963ca9d9d34466802753d18ddc9509984f83bf6b18c5f17106f79e09407c8
Opcode Fuzzy Hash: c4db97df31f7dabae67e96dab0b003c2315a5e7ba221be18b431793d60889a54
Instruction Fuzzy Hash: 4151C53160C2109BC715AA1CDC90B2EB7E6FB95758F28CA2CE5A997395D731EC10C752

Function 00835A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8a6ecbfc004274e90a9f7e1e104534bbf3ac4feabfbdc6b7e5fbe5c13bd319
Instruction ID: fdfe0e9fa75b9c0664c1a9e0231bf2a1ff67cc7d536d05adc9d7c9951eca46c6
Opcode Fuzzy Hash: 7a8a6ecbfc004274e90a9f7e1e104534bbf3ac4feabfbdc6b7e5fbe5c13bd319
Instruction Fuzzy Hash: 53518DB5A047149FC7149F18C89092AB7A1FFC9328F15466CE899DB352D731EC42CBD2

Function 0085EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e61f06a7423722a5c381afd1be9bf4659effa7e84fe824adb899e5d57805f5
Instruction ID: 1cbba285a2b5b221b19896d6fe11355bafb63fc26f64c010e4496f09f4cdc27f
Opcode Fuzzy Hash: 68e61f06a7423722a5c381afd1be9bf4659effa7e84fe824adb899e5d57805f5
Instruction Fuzzy Hash: DB41CF74900329DBDF24CF58DC91BADB7B1FF0A301F444548E945AB3A0EB38AA55CB91

Function 00879B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2881ecc1a38b5cb03d2c5d6d5b0b8b029cffad48b390fa6b23655c0dbab2b6d5
Instruction ID: 24446cde4a0f463c94385aa1a4d31fea23f5af87f518a5e82b541999f1effffe
Opcode Fuzzy Hash: 2881ecc1a38b5cb03d2c5d6d5b0b8b029cffad48b390fa6b23655c0dbab2b6d5
Instruction Fuzzy Hash: 36417B74208300ABDB15EB19D990B2ABBE6FBC5724F54C82CF5CAD7255D335E800CB66

Function 00842030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cbf67aeecc27dc132f6445d94f10ee2bb207cdfc8ff2b651f09d313be473c9
Instruction ID: d5c5eb0a1e0a99af60ce0f20aabc7861903d6b066d7839921a987a3667da9ecc
Opcode Fuzzy Hash: 25cbf67aeecc27dc132f6445d94f10ee2bb207cdfc8ff2b651f09d313be473c9
Instruction Fuzzy Hash: D841E772A0C3694FD35CCE29849023ABBE2BBD5300F49866EF4D6873D4DA748945DB81

Function 00841E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d83df6f9788ddd3153e0a5d3b9843fdbd36ed6a0e393b64aaebc7dd107fb77
Instruction ID: ef951765e3c6a0a24cb3f844fd66957e690780f5b73b6f79ca7d26250b8b96b4
Opcode Fuzzy Hash: 10d83df6f9788ddd3153e0a5d3b9843fdbd36ed6a0e393b64aaebc7dd107fb77
Instruction Fuzzy Hash: C441FF7450C3849BD720AB59C888B2EFBF5FB86384F14491CF6C497292C37AE8148B66

Function 00878D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c95438be11041e736eaa3288b4ba14860802303e8672e8672bf614b640389a7
Instruction ID: ae8512900d173b0a881d91fda93e672de7d383ef214342b8ff9181ecc2a11bc6
Opcode Fuzzy Hash: 2c95438be11041e736eaa3288b4ba14860802303e8672e8672bf614b640389a7
Instruction Fuzzy Hash: BD41CF3164C2548FC315DF68C49452EFBE6EF9A300F198A2DD4D9D72A1CB74DD018B82

Function 0084D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3894656d1c5d0027525604d58100d56cc46a5777a6e9e755b3f67746671eb94e
Instruction ID: 4000f73d510c79443322e8a778ab422514f2e210b2b14a18a850e84981ddbbad
Opcode Fuzzy Hash: 3894656d1c5d0027525604d58100d56cc46a5777a6e9e755b3f67746671eb94e
Instruction Fuzzy Hash: 0241BCB16483958BD330DF18C841BABB7B0FFA6364F040958E58ADB752E7744840CB97

Function 0086F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 3cafb6fbf2aa27e161e9b7d77fe8f1cadb0945ebe01e7740325dd7fabb7b040c
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: FC2125329082244BC3249B1DD48063AF7E4FB9A704F07962EDAC4E7296E735DC2087E2

Function 008767EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7708df1fd69d56e982175672ef98228c5375edf62df8f2707cf385120ed092
Instruction ID: d4df3b6ff7dd458bca28a91b1a2090a6f54dfabc32358f45d5ee2e37f561ed40
Opcode Fuzzy Hash: ff7708df1fd69d56e982175672ef98228c5375edf62df8f2707cf385120ed092
Instruction Fuzzy Hash: 563102705183829AE714CF14C49062BBFF0FF96784F54981DF4C8AB265E338D995CB9A

Function 00855E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a14beb9c40deba7cc6b2730e32b6f1d4709a0b9abbf70a194a7b1237d1d04fd
Instruction ID: 156f68ced76a6b18f12456246456b61f6b7fc0edd65d450154274c2ba7603e94
Opcode Fuzzy Hash: 1a14beb9c40deba7cc6b2730e32b6f1d4709a0b9abbf70a194a7b1237d1d04fd
Instruction Fuzzy Hash: C821B2705082019BC310AF18C86292BB7F4FF92766F44890CF8D9DB291E734DA08CBA3

Function 008349A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: ab9ff0503543ce07397415a210336482d07a8b8f9615e0b940836d40c742d417
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 3631D5316482109BD7149E58D880A2BB7E1FFC8359F18992DE89ADB352D331FC52CBC6

Function 008764B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00d366d1f50f79700baa50f4b6edb164a79a6be118a95ca9cf26806a66622e1
Instruction ID: 99e14fa9fafef270640942c7b71ad4ace09eed44eea8c4ca67a0b108e1ef36dd
Opcode Fuzzy Hash: d00d366d1f50f79700baa50f4b6edb164a79a6be118a95ca9cf26806a66622e1
Instruction Fuzzy Hash: CE2123706086409BC704EF19D880A2EBBE6FB95745F28C81CE4C9D7365D335E861CB66

Function 00AEA673 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee963e61df17509b4cfd0a41fe8d52246d2846c88db9d1a60c3c0bcd2513f9b5
Instruction ID: 3e3a87866e5b90c8e7ac9456c7a76ca505553fcab9c490374a2c9613db3f48ce
Opcode Fuzzy Hash: ee963e61df17509b4cfd0a41fe8d52246d2846c88db9d1a60c3c0bcd2513f9b5
Instruction Fuzzy Hash: E721F4B250C304AFE301BF59E8866AEFBF5FF98710F16482DE2D582610E731A550CA57

Function 0086B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: c947661a76c5a990ca8f4e1f3be06e7038582be81ab566ea06f8b9a7d2a42548
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9D11A933A091D94EC3168D3CC440565BFA36AB3639B5A4399F4B4DB2D2D7238DCA8355

Function 00860B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: 9c2dd328292d8d59ca08a75592ca2ffa555e4382a2831a5570f0500d9708aaa0
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 4A0175F5A0130147E7209E5494D1B3BB2A8FF81768F1A852CD446D7301DB75EC05DB9A

Function 0085D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15eb6e2f926f6db3bc722d3904b541111923bf3868787d50f0981865f2183a5
Instruction ID: b093acc046bbf18931d86266d9878cae00b8839b9c72c8e7bac5cb4088a2e6f6
Opcode Fuzzy Hash: d15eb6e2f926f6db3bc722d3904b541111923bf3868787d50f0981865f2183a5
Instruction Fuzzy Hash: 4A11DBB0418380AFD3209F658484A2FFBE5FBA6714F148C0DE6A49B251C779E819CF57

Function 00836EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc6bf1119c09681d4697be4bbc1a40e3b1271a5271bcb40686090281a042ff8
Instruction ID: 9ed4f79c4d5b7959f283b6f214f4c6097a008ef84adca28b6bd2d5e7dfc46436
Opcode Fuzzy Hash: 3cc6bf1119c09681d4697be4bbc1a40e3b1271a5271bcb40686090281a042ff8
Instruction Fuzzy Hash: C9F0243A71820A1BA210CDAEA88483BB396FBD9355F149538EA44C3201ED72E80681D0

Function 0086B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0084C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0084B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 0242d172714916fd839baf56cccac9d8184b5222ee89352d9f8465fccb459c40
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 75F0ECB160451857DF228A559CC0F37FB9CDB87354F191436F945D7503D261D845C3EA

Function 00868220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ed888fa2e436424871118cb20e4edc10e4d294fc32d7dc9d3ca655a383f0a3
Instruction ID: da521c3532dd42e48a560bb5a2836e764f6cd7a7d44d25304c04f125698ff555
Opcode Fuzzy Hash: a6ed888fa2e436424871118cb20e4edc10e4d294fc32d7dc9d3ca655a383f0a3
Instruction Fuzzy Hash: BC01E4B04107009FD360EF29C445747BBF8FB48754F108A1DE8AECB680D770A5888B82

Function 00871440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: d74e0554c9a06968506aff5bb39b2b2b28510121ae20ccf73e8f767603a3f33d
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 11D05E31608321469F648E1DA404977F7E1FA87B11F49955EF58AE314CE230DC41C2AD

Function 00841ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f66e89028a7c9cef264be5a151c0b4d2f91bca9f44446484839334983b4997
Instruction ID: 460e17425553454aa0e1bd1e3f469010911329755ed3a90447d56f6f8e87e8b9
Opcode Fuzzy Hash: 97f66e89028a7c9cef264be5a151c0b4d2f91bca9f44446484839334983b4997
Instruction Fuzzy Hash: F1C08C34A290058BC244CF06FC9D432B3B8B70730CB00703ADB0BF3223DA20C4428A0D

Function 00876094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f5c1ab44ac0cd55c9f046fe84ec415777bfddf7b359fd32b91299f01f00f3d
Instruction ID: 9b48710eb4e014114c80c1b710dddb624b8799652b0c572659d352f1036e80f0
Opcode Fuzzy Hash: b9f5c1ab44ac0cd55c9f046fe84ec415777bfddf7b359fd32b91299f01f00f3d
Instruction Fuzzy Hash: D7C09B7469C10487A20CCF0CD951475F376FB97F38724F01DC80663259C534D512961C

Function 00841A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044dc902a95925036e7561cd3698785f3bfd9abc1b3b5be95b3d0c72af9ee275
Instruction ID: 58c4de0e8292b8cf274358528855fd1c3fd367ce4282a9d36ec6af33fb649795
Opcode Fuzzy Hash: 044dc902a95925036e7561cd3698785f3bfd9abc1b3b5be95b3d0c72af9ee275
Instruction Fuzzy Hash: ADC09B34A6D044CBC644CF87E8D9531A3FCB70720CB10303A970BF7267C560D445850D

Function 00875FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179618729.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000000.00000002.2179604946.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000890000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B28000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179654631.0000000000B37000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179909854.0000000000B38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180021162.0000000000CD4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2180037824.0000000000CD5000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45374dda2bac58197b97bbed792ce2d61a9dc87676ec4cc0dc7dd08768c67c15
Instruction ID: 3488b32781aaecca1ce51a56d5314967bc739723dd7c30225e5e20c70325b522
Opcode Fuzzy Hash: 45374dda2bac58197b97bbed792ce2d61a9dc87676ec4cc0dc7dd08768c67c15
Instruction Fuzzy Hash: D2C09274BA80008BA24CCF1CDD51935F2BAAB8BE38B14B02DC806A3256D134D912870C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 008750FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 0083FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0083D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00875700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00875BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0087695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0084049B Relevance: .3, Instructions: 264
COMMON

Function 00873220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00873202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON