Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1527554
MD5:	86fea273d36e3f9c8221e22b937b1929
SHA1:	e21ce70e02939c4afd908c4f3222b52b154fafb0
SHA256:	76ff561ab5532de44b42249c4d686fc75c21bb17fedc8c6ca3af4268388c3bcc
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 86FEA273D36E3F9C8221E22B937B1929)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["mobbipenju.stor", "dissapoiznw.stor", "bathdoomgaz.stor", "studennotediw.stor", "licendfilteo.site", "spirittunek.stor", "clearancek.site", "eaglepawnoy.stor"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.371001+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.4	64610	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.318466+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.4	57803	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.349447+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.4	62241	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.339582+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.4	54591	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.394735+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.4	59313	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.329281+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.4	58246	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.383104+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.4	64933	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T02:58:09.359313+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.4	50882	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.6472.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["mobbipenju.stor", "dissapoiznw.stor", "bathdoomgaz.stor", "studennotediw.stor", "licendfilteo.site", "spirittunek.stor", "clearancek.site", "eaglepawnoy.stor"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008B50FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0087D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0087D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008B63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008B5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_008B99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_008B695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0087FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00880EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_008B6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00871000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00886F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_008AF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_008B4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0089D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_008842FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00892260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00892260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008A23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008A23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008A23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_008A23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008A23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_008A23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0087A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008B64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0089E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0088B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_008B1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0088D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0089C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00899510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_008B7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00886536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_008AB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0089E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0089D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_008B67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_008B7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_008928E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_008749A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_008B3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0088D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00881ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00881A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_008B4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00875A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_008A0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00881BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00883BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0088DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0088DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_008B9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0089AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0089AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0089CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0089CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0089CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008B9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_008B9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00897C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_008AFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0089EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008B8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0089FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0089DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00881E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00876EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0087BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00886EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00884E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0089AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00897E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00895E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00886F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_008B7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008B7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00878FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0088FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_008B5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00899F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008AFF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:54591 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:58246 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:64610 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:64933 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:50882 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:59313 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:62241 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:57803 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: eaglepawnoy.stor

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.1793514920.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowere equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=709491e9a614b5bd7a8383b4; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 00:58:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control~ equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: c.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=709491e9a614b5bd7a8383b4; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 00:58:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control~ equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1793514920.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowere equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/apii%Vu
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000002.1793300479.0000000001496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000002.1793300479.0000000001496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000002.1793300479.0000000001496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store:443/api
Source: file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.1793514920.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowere
Source: file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000002.1793514920.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792132291.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/&&4
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/lA
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store:443/api
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00880228	0_2_00880228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BA0D0	0_2_008BA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00871000	0_2_00871000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043	0_2_00D01043
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014	0_2_00A32014
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00882030	0_2_00882030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B4040	0_2_008B4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01000	0_2_00D01000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DF18E	0_2_009DF18E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087E1A0	0_2_0087E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008771F0	0_2_008771F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00875160	0_2_00875160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A82D0	0_2_008A82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A12D0	0_2_008A12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008712F7	0_2_008712F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008713A3	0_2_008713A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087B3A0	0_2_0087B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A41394	0_2_00A41394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A23E0	0_2_008A23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087A300	0_2_0087A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009AA307	0_2_009AA307
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00884487	0_2_00884487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088049B	0_2_0088049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A64F0	0_2_008A64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089C470	0_2_0089C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008735B0	0_2_008735B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088C5F0	0_2_0088C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3C505	0_2_00A3C505
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A306B3	0_2_00A306B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B86F0	0_2_008B86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AF620	0_2_008AF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087164F	0_2_0087164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B8652	0_2_008B8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3A7AD	0_2_00A3A7AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3F7BB	0_2_00A3F7BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AE8A0	0_2_008AE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AB8C0	0_2_008AB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A37835	0_2_00A37835
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A1860	0_2_008A1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089098B	0_2_0089098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B89A0	0_2_008B89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A2E960	0_2_00A2E960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B8A80	0_2_008B8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A33AAD	0_2_00A33AAD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B7AB0	0_2_008B7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B4A40	0_2_008B4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A04BA0	0_2_00A04BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A38BF3	0_2_00A38BF3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00877BF0	0_2_00877BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088DB6F	0_2_0088DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B6CBF	0_2_008B6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089CCD0	0_2_0089CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B8C02	0_2_008B8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089FD10	0_2_0089FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089DD29	0_2_0089DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009DAD3E	0_2_009DAD3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00898D62	0_2_00898D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087BEB0	0_2_0087BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00886EBF	0_2_00886EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00884E2A	0_2_00884E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089AE57	0_2_0089AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B8E70	0_2_008B8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B7FC0	0_2_008B7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878FD0	0_2_00878FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087AF10	0_2_0087AF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0088D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0087CAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994907693894389
Source: file.exe	Static PE information: Section: kawjnymv ZLIB complexity 0.9945041232638889

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A8220 CoCreateInstance,

0_2_008A8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1829376 > 1048576

Source: file.exe

Static PE information: Raw size of kawjnymv is bigger than: 0x100000 < 0x195000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.870000.0.unpack :EW;.rsrc :W;.idata :W; :EW;kawjnymv:EW;ldklrfiv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;kawjnymv:EW;ldklrfiv:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1c1519 should be: 0x1c3efd

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: kawjnymv
Source: file.exe	Static PE information: section name: ldklrfiv
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D40DD push edi; mov dword ptr [esp], ecx	0_2_009D414E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D40DD push ebx; mov dword ptr [esp], 38EB1024h	0_2_009D4194
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D40DD push 376D47F7h; mov dword ptr [esp], ebp	0_2_009D41CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6C0C2 push eax; mov dword ptr [esp], 3BFF88DFh	0_2_00A6C0D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE20D8 push edx; mov dword ptr [esp], ebx	0_2_00AE20E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE20D8 push esi; mov dword ptr [esp], eax	0_2_00AE2103
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE20D8 push 58B868C7h; mov dword ptr [esp], ecx	0_2_00AE2121
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push 269CD700h; mov dword ptr [esp], ecx	0_2_00D0104B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push 2C223674h; mov dword ptr [esp], eax	0_2_00D01063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push ecx; mov dword ptr [esp], edx	0_2_00D010F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push eax; mov dword ptr [esp], 4FFAE5F0h	0_2_00D01112
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push ebp; mov dword ptr [esp], 73A6A000h	0_2_00D01136
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push 15BAE112h; mov dword ptr [esp], eax	0_2_00D0114C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push ecx; mov dword ptr [esp], 56DA142Bh	0_2_00D01156
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D01043 push 3F00F235h; mov dword ptr [esp], ebp	0_2_00D01183
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push 10E84B11h; mov dword ptr [esp], eax	0_2_00A3201C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push edi; mov dword ptr [esp], 3DEAB25Dh	0_2_00A320BE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push eax; mov dword ptr [esp], 3A25B71Ah	0_2_00A320ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push eax; mov dword ptr [esp], 65B4E31Dh	0_2_00A3211C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push edi; mov dword ptr [esp], 1F33797Bh	0_2_00A32179
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push 174C3567h; mov dword ptr [esp], edx	0_2_00A32189
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push esi; mov dword ptr [esp], ecx	0_2_00A3218D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push edx; mov dword ptr [esp], esi	0_2_00A321E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push ebp; mov dword ptr [esp], eax	0_2_00A3223E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push eax; mov dword ptr [esp], 7F31168Dh	0_2_00A32246
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push edi; mov dword ptr [esp], esi	0_2_00A32296
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push 39045D3Ch; mov dword ptr [esp], ebx	0_2_00A322D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push 394E0641h; mov dword ptr [esp], esi	0_2_00A322FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push 3C17F2CEh; mov dword ptr [esp], esi	0_2_00A32357
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push 738C48A6h; mov dword ptr [esp], esp	0_2_00A3238B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A32014 push edi; mov dword ptr [esp], 5700BD31h	0_2_00A32444

Source: file.exe	Static PE information: section name: entropy: 7.974967457011881
Source: file.exe	Static PE information: section name: kawjnymv entropy: 7.953272696615757

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8D41B9 second address: 8D41BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8D41BE second address: 8D3982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b movzx edi, di 0x0000000e jo 00007FCDBCDBB72Bh 0x00000014 mov eax, 3D8E6A22h 0x00000019 popad 0x0000001a push dword ptr [ebp+122D0685h] 0x00000020 xor dword ptr [ebp+122D1A9Ch], edi 0x00000026 add dword ptr [ebp+122D187Ch], edx 0x0000002c call dword ptr [ebp+122D186Dh] 0x00000032 pushad 0x00000033 sub dword ptr [ebp+122D1A8Bh], esi 0x00000039 xor eax, eax 0x0000003b pushad 0x0000003c call 00007FCDBCDBB72Fh 0x00000041 sub bx, 0D6Dh 0x00000046 pop ebx 0x00000047 sbb bl, FFFFFFBAh 0x0000004a popad 0x0000004b mov edx, dword ptr [esp+28h] 0x0000004f mov dword ptr [ebp+122D3386h], ebx 0x00000055 mov dword ptr [ebp+122D36A2h], eax 0x0000005b xor dword ptr [ebp+122D1ADCh], esi 0x00000061 mov esi, 0000003Ch 0x00000066 xor dword ptr [ebp+122D1A8Bh], edx 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 ja 00007FCDBCDBB72Ch 0x00000076 lodsw 0x00000078 jg 00007FCDBCDBB72Eh 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 jmp 00007FCDBCDBB72Fh 0x00000087 clc 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c cld 0x0000008d push eax 0x0000008e pushad 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007FCDBCDBB72Eh 0x00000096 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8D3982 second address: 8D398F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCDBDA9B2C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46F74 second address: A46F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46F78 second address: A46F7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A40E69 second address: A40E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCDBCDBB72Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A46660 second address: A466A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jnp 00007FCDBDA9B2CAh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FCDBDA9B2DEh 0x00000016 push eax 0x00000017 pop eax 0x00000018 jmp 00007FCDBDA9B2D6h 0x0000001d pushad 0x0000001e jmp 00007FCDBDA9B2CEh 0x00000023 push edi 0x00000024 pop edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A466A5 second address: A466AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A466AA second address: A466B7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCDBDA9B2C8h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4899E second address: A48A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FCDBCDBB739h 0x0000000a popad 0x0000000b xor dword ptr [esp], 57D730D1h 0x00000012 and edx, dword ptr [ebp+122D37DAh] 0x00000018 push 00000003h 0x0000001a xor dword ptr [ebp+122D1B42h], eax 0x00000020 mov edi, dword ptr [ebp+122D381Ah] 0x00000026 push 00000000h 0x00000028 call 00007FCDBCDBB739h 0x0000002d jmp 00007FCDBCDBB731h 0x00000032 pop edx 0x00000033 push 00000003h 0x00000035 mov esi, dword ptr [ebp+122D37C6h] 0x0000003b push EA602810h 0x00000040 push eax 0x00000041 push edx 0x00000042 ja 00007FCDBCDBB728h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48A1C second address: A48A7C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCDBDA9B2C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 2A602810h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FCDBDA9B2C8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b add di, D985h 0x00000030 lea ebx, dword ptr [ebp+1244881Ah] 0x00000036 mov edx, dword ptr [ebp+122D3556h] 0x0000003c xchg eax, ebx 0x0000003d jmp 00007FCDBDA9B2D9h 0x00000042 push eax 0x00000043 pushad 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48A7C second address: A48A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCDBCDBB726h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48ADF second address: A48AE9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCDBDA9B2CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48AE9 second address: A48B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 or dword ptr [ebp+122D1ACDh], ecx 0x0000000f mov esi, dword ptr [ebp+122D372Eh] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FCDBCDBB728h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov di, ax 0x00000034 jno 00007FCDBCDBB726h 0x0000003a push 291B5D79h 0x0000003f push eax 0x00000040 push edx 0x00000041 jbe 00007FCDBCDBB728h 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48B35 second address: A48BE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 291B5DF9h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FCDBDA9B2C8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push edx 0x0000002b jnc 00007FCDBDA9B2C8h 0x00000031 pop edx 0x00000032 push 00000003h 0x00000034 mov cl, dh 0x00000036 push 00000000h 0x00000038 jmp 00007FCDBDA9B2D4h 0x0000003d mov edx, dword ptr [ebp+122D353Ah] 0x00000043 push 00000003h 0x00000045 sub dword ptr [ebp+122D5618h], ecx 0x0000004b push BA216E28h 0x00000050 push eax 0x00000051 jmp 00007FCDBDA9B2CDh 0x00000056 pop eax 0x00000057 add dword ptr [esp], 05DE91D8h 0x0000005e mov dword ptr [ebp+122D1904h], edx 0x00000064 lea ebx, dword ptr [ebp+12448823h] 0x0000006a mov dword ptr [ebp+122D1904h], ecx 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007FCDBDA9B2D1h 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48BE3 second address: A48BE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48BE8 second address: A48BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48D31 second address: A48D36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48D36 second address: A48D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCDBDA9B2D2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007FCDBDA9B2E7h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48D5A second address: A48D8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCDBCDBB732h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36C48 second address: A36C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36C4C second address: A36C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36C5A second address: A36C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36C60 second address: A36C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36C66 second address: A36C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6938B second address: A6938F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6938F second address: A69395 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69ACB second address: A69ADB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCDBCDBB726h 0x0000000a jno 00007FCDBCDBB726h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69ADB second address: A69ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69ADF second address: A69AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69C44 second address: A69C49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69EC1 second address: A69EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69EC7 second address: A69ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69ECD second address: A69ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6A182 second address: A6A186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6A186 second address: A6A1A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB736h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FD3C second address: A6FD61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c js 00007FCDBDA9B2C6h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A70538 second address: A70567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB733h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FCDBCDBB72Dh 0x00000012 je 00007FCDBCDBB726h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75EB8 second address: A75ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2CFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A33614 second address: A3361A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3361A second address: A3363A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCDBDA9B2D1h 0x00000008 jmp 00007FCDBDA9B2CBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007FCDBDA9B2EDh 0x00000015 push esi 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75618 second address: A7561C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A757C1 second address: A757C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75A26 second address: A75A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75A2C second address: A75A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCDBDA9B2C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75BD7 second address: A75BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75D79 second address: A75D83 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCDBDA9B2CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A766AA second address: A766AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A766AE second address: A766C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCDBDA9B2CAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A766C0 second address: A766DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCDBCDBB730h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76B57 second address: A76B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76B6E second address: A76B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBCDBB739h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A772A0 second address: A772A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A777F1 second address: A777F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A777F7 second address: A77800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77800 second address: A77804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77D6B second address: A77D70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77D70 second address: A77D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jl 00007FCDBCDBB734h 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007FCDBCDBB726h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77D86 second address: A77DC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FCDBDA9B2C8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 add edi, dword ptr [ebp+122D1AE2h] 0x00000027 push 00000000h 0x00000029 mov edi, ebx 0x0000002b push 00000000h 0x0000002d mov esi, eax 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jnc 00007FCDBDA9B2CCh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A77DC7 second address: A77DD1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCDBCDBB72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A786C0 second address: A78707 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCDBDA9B2CCh 0x00000008 jng 00007FCDBDA9B2C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 add esi, 47F6257Bh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FCDBDA9B2C8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 push 00000000h 0x00000035 pushad 0x00000036 mov dword ptr [ebp+124454E1h], ecx 0x0000003c sub al, FFFFFFD4h 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A78707 second address: A7870D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A797D7 second address: A797E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBDA9B2CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BE6B second address: A7BE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7AB55 second address: A7AB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7AB5B second address: A7AB70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FCDBCDBB72Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7BE6F second address: A7BE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7AB70 second address: A7AB88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBCDBB734h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A35033 second address: A3504E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FCDBDA9B2D2h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C3FB second address: A7C3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CFA3 second address: A7CFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CCEF second address: A7CD0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CD0C second address: A7CD16 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCDBDA9B2CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D994 second address: A7D999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D999 second address: A7D9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCDBDA9B2D5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCDBDA9B2CAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E66B second address: A7E690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCDBCDBB733h 0x00000008 jnc 00007FCDBCDBB726h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E690 second address: A7E697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7EECE second address: A7EEE9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCDBCDBB730h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7EEE9 second address: A7EEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A83B29 second address: A83B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 js 00007FCDBCDBB728h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCDBCDBB72Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85022 second address: A8502C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCDBDA9B2C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85204 second address: A8520C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A86FD5 second address: A86FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87E91 second address: A87E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87171 second address: A87175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87175 second address: A8718C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB733h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87F3F second address: A87F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8718C second address: A87193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89E8F second address: A89EDA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FCDBDA9B2C8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D1C14h] 0x0000002b mov ebx, 3868A1B1h 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1C5Dh], edx 0x00000038 push 00000000h 0x0000003a sub edi, 4CDE8094h 0x00000040 mov ebx, edi 0x00000042 xchg eax, esi 0x00000043 push esi 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88FF0 second address: A88FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88FF5 second address: A89000 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FCDBDA9B2C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B051 second address: A8B056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A084 second address: A8A08A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A08A second address: A8A08E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90087 second address: A9008C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9008C second address: A90092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C1FE second address: A8C204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C204 second address: A8C276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push dword ptr fs:[00000000h] 0x0000000f mov bx, si 0x00000012 mov dword ptr fs:[00000000h], esp 0x00000019 mov eax, dword ptr [ebp+122D0945h] 0x0000001f sub dword ptr [ebp+122D1824h], edx 0x00000025 xor dword ptr [ebp+122D34E5h], ebx 0x0000002b push FFFFFFFFh 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FCDBCDBB728h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 nop 0x00000048 push edi 0x00000049 jp 00007FCDBCDBB728h 0x0000004f pop edi 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FCDBCDBB738h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C276 second address: A8C286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBDA9B2CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A901F2 second address: A9020E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB738h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90FAC second address: A90FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9020E second address: A90218 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCDBCDBB72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90FB1 second address: A90FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90FB7 second address: A90FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90FBB second address: A90FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90FBF second address: A91063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007FCDBCDBB73Ch 0x0000000f jmp 00007FCDBCDBB736h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FCDBCDBB728h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007FCDBCDBB728h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b push 00000000h 0x0000004d call 00007FCDBCDBB739h 0x00000052 movzx ebx, si 0x00000055 pop ebx 0x00000056 xchg eax, esi 0x00000057 jg 00007FCDBCDBB734h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 ja 00007FCDBCDBB726h 0x00000067 pop edi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A91063 second address: A91072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBDA9B2CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A921FA second address: A92229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FCDBCDBB72Dh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCDBCDBB737h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A94FBC second address: A94FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A94FC2 second address: A94FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBCDBB72Bh 0x00000009 jns 00007FCDBCDBB726h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A31B14 second address: A31B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7AB6C second address: A7AB70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AB7F second address: A9AB93 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCDBDA9B2C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FCDBDA9B2C6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AD03 second address: A9AD4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB738h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FCDBCDBB739h 0x00000011 js 00007FCDBCDBB726h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007FCDBCDBB726h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AD4A second address: A9AD56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AE95 second address: A9AE9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B006 second address: A9B025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCDBDA9B2C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCDBDA9B2D2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA130E second address: AA1314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA1314 second address: AA131A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA131A second address: 8D3982 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB72Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 29046A01h 0x00000012 jbe 00007FCDBCDBB739h 0x00000018 jmp 00007FCDBCDBB733h 0x0000001d push dword ptr [ebp+122D0685h] 0x00000023 jl 00007FCDBCDBB72Dh 0x00000029 jns 00007FCDBCDBB727h 0x0000002f clc 0x00000030 call dword ptr [ebp+122D186Dh] 0x00000036 pushad 0x00000037 sub dword ptr [ebp+122D1A8Bh], esi 0x0000003d xor eax, eax 0x0000003f pushad 0x00000040 call 00007FCDBCDBB72Fh 0x00000045 sub bx, 0D6Dh 0x0000004a pop ebx 0x0000004b sbb bl, FFFFFFBAh 0x0000004e popad 0x0000004f mov edx, dword ptr [esp+28h] 0x00000053 mov dword ptr [ebp+122D3386h], ebx 0x00000059 mov dword ptr [ebp+122D36A2h], eax 0x0000005f xor dword ptr [ebp+122D1ADCh], esi 0x00000065 mov esi, 0000003Ch 0x0000006a xor dword ptr [ebp+122D1A8Bh], edx 0x00000070 add esi, dword ptr [esp+24h] 0x00000074 ja 00007FCDBCDBB72Ch 0x0000007a lodsw 0x0000007c jg 00007FCDBCDBB72Eh 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 jmp 00007FCDBCDBB72Fh 0x0000008b clc 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 cld 0x00000091 push eax 0x00000092 pushad 0x00000093 push eax 0x00000094 push edx 0x00000095 jmp 00007FCDBCDBB72Eh 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3D7AA second address: A3D7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCDBDA9B2CBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6122 second address: AA6140 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007FCDBCDBB726h 0x00000009 jmp 00007FCDBCDBB730h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6140 second address: AA6146 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6289 second address: AA62A1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCDBCDBB726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FCDBCDBB728h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA62A1 second address: AA62A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA62A5 second address: AA62B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE561 second address: AAE567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE567 second address: AAE585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCDBCDBB736h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE585 second address: AAE590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCDBDA9B2C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD512 second address: AAD520 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD520 second address: AAD526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD526 second address: AAD54C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCDBCDBB726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FCDBCDBB736h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7F828 second address: A7F897 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCDBDA9B2D1h 0x00000008 jmp 00007FCDBDA9B2CBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jnc 00007FCDBDA9B2C6h 0x0000001a popad 0x0000001b pop edx 0x0000001c nop 0x0000001d mov edi, dword ptr [ebp+122D2365h] 0x00000023 lea eax, dword ptr [ebp+1247F568h] 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FCDBDA9B2C8h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 add edx, dword ptr [ebp+122D3349h] 0x00000049 push eax 0x0000004a jl 00007FCDBDA9B2DDh 0x00000050 pushad 0x00000051 jmp 00007FCDBDA9B2CFh 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7FA62 second address: A7FA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7FA6E second address: A7FA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80077 second address: A80087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBCDBB72Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A807E9 second address: A807F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A807F3 second address: A807F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A807F7 second address: A80861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FCDBDA9B2C8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ecx, edi 0x00000026 push 0000001Eh 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007FCDBDA9B2C8h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 nop 0x00000043 jmp 00007FCDBDA9B2D5h 0x00000048 push eax 0x00000049 push eax 0x0000004a push esi 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80B29 second address: A80B64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB736h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FCDBCDBB736h 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FCDBCDBB726h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80B64 second address: A80B92 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1E69h], esi 0x0000000e lea eax, dword ptr [ebp+1247F5ACh] 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCDBDA9B2D5h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80B92 second address: A80B9C instructions: 0x00000000 rdtsc 0x00000002 js 00007FCDBCDBB726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80B9C second address: A80BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADEAA second address: AADEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADEAE second address: AADEE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCDBDA9B2D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FCDBDA9B2CEh 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 pop eax 0x00000015 js 00007FCDBDA9B2F2h 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007FCDBDA9B2C6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADEE7 second address: AADF01 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCDBCDBB726h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FCDBCDBB726h 0x00000014 jg 00007FCDBCDBB726h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE029 second address: AAE036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FCDBDA9B2C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE036 second address: AAE03C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB2C20 second address: AB2C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB2ED7 second address: AB2EDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB32F6 second address: AB330C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2CFh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3901 second address: AB3907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3907 second address: AB390B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB390B second address: AB395B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB736h 0x00000007 ja 00007FCDBCDBB726h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FCDBCDBB737h 0x00000017 pushad 0x00000018 jmp 00007FCDBCDBB733h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB833E second address: AB835A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCDBDA9B2C6h 0x0000000a popad 0x0000000b jmp 00007FCDBDA9B2CAh 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB8481 second address: AB8494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCDBCDBB726h 0x0000000a popad 0x0000000b push esi 0x0000000c jng 00007FCDBCDBB726h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB8494 second address: AB84AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBDA9B2D5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB84AF second address: AB84B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB8A03 second address: AB8A23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCDBDA9B2CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FCDBDA9B2CCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB8CCC second address: AB8CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB8CD0 second address: AB8CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB9068 second address: AB906C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7ECB second address: AB7ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7ED1 second address: AB7EFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCDBCDBB734h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FCDBCDBB72Bh 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7EFB second address: AB7F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCDBDA9B2D5h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FCDBDA9B2C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0001 second address: AC0005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABFCBE second address: ABFD02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D4h 0x00000007 jmp 00007FCDBDA9B2D6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FCDBDA9B2D2h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABFD02 second address: ABFD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABFD06 second address: ABFD2A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCDBDA9B2C6h 0x00000008 jmp 00007FCDBDA9B2D2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC16BA second address: AC16D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCDBCDBB735h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4221 second address: AC4227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4376 second address: AC437C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC437C second address: AC4388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCDBDA9B2C6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACADD5 second address: ACADDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACADDB second address: ACADE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCDBDA9B2C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACADE5 second address: ACADE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC98CA second address: AC98D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9A2F second address: AC9A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCDBCDBB726h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9A39 second address: AC9A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9A3D second address: AC9A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9CF9 second address: AC9CFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9CFD second address: AC9D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCDBCDBB731h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9D16 second address: AC9D26 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCDBDA9B2C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9D26 second address: AC9D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80673 second address: A80678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80678 second address: A806B4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FCDBCDBB728h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000004h 0x00000025 mov dword ptr [ebp+124446D3h], ecx 0x0000002b push eax 0x0000002c pushad 0x0000002d pushad 0x0000002e jl 00007FCDBCDBB726h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9FCC second address: AC9FE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2CAh 0x00000007 jno 00007FCDBDA9B2C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9FE0 second address: AC9FE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACA15F second address: ACA163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACDBD4 second address: ACDBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007FCDBCDBB730h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FCDBCDBB72Fh 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACDBFD second address: ACDC16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2CEh 0x00000007 pushad 0x00000008 jnc 00007FCDBDA9B2C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD19FF second address: AD1A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCDBCDBB72Dh 0x00000009 popad 0x0000000a jnp 00007FCDBCDBB744h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1A39 second address: AD1A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCDBDA9B2C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD0CA4 second address: AD0CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD0E47 second address: AD0E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD0F9C second address: AD0FC9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCDBCDBB739h 0x0000000c jns 00007FCDBCDBB726h 0x00000012 popad 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD0FC9 second address: AD0FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD15B8 second address: AD15D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jns 00007FCDBCDBB726h 0x0000000c popad 0x0000000d jmp 00007FCDBCDBB72Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD15D0 second address: AD15D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD78EC second address: AD78F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD78F3 second address: AD7900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FCDBDA9B2D2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD7A54 second address: AD7A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD7EC9 second address: AD7EEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD81B4 second address: AD81C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD81C1 second address: AD81F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCDBDA9B2D5h 0x00000008 jmp 00007FCDBDA9B2D1h 0x0000000d pop edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8497 second address: AD84A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD84A3 second address: AD84A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD84A7 second address: AD84AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD84AB second address: AD84C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCDBDA9B2C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FCDBDA9B2CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD84C7 second address: AD84DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FCDBCDBB726h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8FF1 second address: AD8FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCDBDA9B2C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADEBC0 second address: ADEBC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA5FB second address: AEA600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA77A second address: AEA792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB72Eh 0x00000007 je 00007FCDBCDBB726h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAA81 second address: AEAA8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FCDBDA9B2C6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAA8D second address: AEAA99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEABCB second address: AEABE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAD4B second address: AEAD51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAD51 second address: AEAD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCDBDA9B2D8h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAEC4 second address: AEAECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CC1 second address: AE9CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CD5 second address: AE9CDA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CDA second address: AE9CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CE0 second address: AE9CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007FCDBCDBB72Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9CF7 second address: AE9D1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCDBDA9B2CAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF342E second address: AF346D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCDBCDBB73Ch 0x00000008 jnl 00007FCDBCDBB726h 0x0000000e jmp 00007FCDBCDBB730h 0x00000013 jmp 00007FCDBCDBB733h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a js 00007FCDBCDBB732h 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 pop edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF2E33 second address: AF2E6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FCDBDA9B2DCh 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jnp 00007FCDBDA9B2CAh 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e jng 00007FCDBDA9B2CEh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF2E6F second address: AF2E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FCDBCDBB736h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF311C second address: AF3121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3121 second address: AF3139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCDBCDBB734h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3139 second address: AF313D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFE0DD second address: AFE0E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFE0E1 second address: AFE0ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCDBDA9B2C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B02D62 second address: B02D72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FCDBCDBB72Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B06593 second address: B065AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B065AE second address: B065B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B065B4 second address: B065C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FCDBDA9B2C6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B065C4 second address: B065EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FCDBCDBB732h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCDBCDBB72Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B065EF second address: B065FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007FCDBDA9B2C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B065FB second address: B06607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jne 00007FCDBCDBB726h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B06607 second address: B0660B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B05FED second address: B05FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B05FF3 second address: B05FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B05FFC second address: B06020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB736h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FCDBCDBB72Eh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B15BFB second address: B15C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B15C01 second address: B15C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007FCDBCDBB73Fh 0x0000000b jmp 00007FCDBCDBB72Dh 0x00000010 jmp 00007FCDBCDBB72Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B15C25 second address: B15C39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2CDh 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B15C39 second address: B15C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B15C3F second address: B15C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jp 00007FCDBDA9B2D4h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3BCD2 second address: A3BCEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCDBCDBB737h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18229 second address: B1822D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1808A second address: B18096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B18096 second address: B1809A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1809A second address: B180B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCDBCDBB72Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B180B0 second address: B180BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCDBDA9B2CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1EAD6 second address: B1EAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCDBCDBB726h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1EAE0 second address: B1EAE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1EAE4 second address: B1EAEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1DA1C second address: B1DA3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D1h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCDBDA9B2CBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33834 second address: B3383E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCDBCDBB726h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3383E second address: B33854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D0h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B33854 second address: B3385A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3385A second address: B3385E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2C6AA second address: B2C6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FCDBCDBB72Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B41AB4 second address: B41ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCDBDA9B2D9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FCDBDA9B2C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B41ADC second address: B41AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B41AE0 second address: B41AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B41AE6 second address: B41AED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B41AED second address: B41AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5986D second address: B59883 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCDBCDBB72Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FCDBCDBB726h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B59883 second address: B59889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B59C80 second address: B59C86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B59C86 second address: B59C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCDBDA9B2C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B59E11 second address: B59E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCDBCDBB739h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B59E30 second address: B59E69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FCDBDA9B2D5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FCDBDA9B2CAh 0x00000016 push esi 0x00000017 pop esi 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007FCDBDA9B2C6h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B59E69 second address: B59E6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B59E6D second address: B59E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A0EA second address: B5A0F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A3AD second address: B5A3C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCDBDA9B2D1h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A3C8 second address: B5A3FA instructions: 0x00000000 rdtsc 0x00000002 je 00007FCDBCDBB726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d js 00007FCDBCDBB726h 0x00000013 pop esi 0x00000014 pushad 0x00000015 jmp 00007FCDBCDBB739h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5A3FA second address: B5A408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007FCDBDA9B2C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5BFFE second address: B5C00E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FCDBCDBB728h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5C00E second address: B5C015 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5C015 second address: B5C01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5E9A6 second address: B5E9AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5E9AC second address: B5E9B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5EC9D second address: B5ECD0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCDBDA9B2C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jbe 00007FCDBDA9B2C9h 0x00000012 or dl, FFFFFFD3h 0x00000015 sub dword ptr [ebp+12449BC2h], ecx 0x0000001b push 00000004h 0x0000001d jng 00007FCDBDA9B2CCh 0x00000023 or dword ptr [ebp+122D2292h], ecx 0x00000029 push 036A0B02h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6052D second address: B60531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B60531 second address: B6056C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push ebx 0x0000000b jc 00007FCDBDA9B2CCh 0x00000011 js 00007FCDBDA9B2C6h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FCDBDA9B2CBh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360D4E second address: 5360D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360D52 second address: 5360D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360D58 second address: 5360D7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB732h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360D7A second address: 5360D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360D80 second address: 5360D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360D86 second address: 5360DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360DA2 second address: 5360DA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360DA8 second address: 5360DDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBDA9B2D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FCDBDA9B31Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCDBDA9B2D7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360DDF second address: 5360E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCDBCDBB739h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add eax, ecx 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007FCDBCDBB733h 0x00000012 pop ecx 0x00000013 mov ebx, 3C9C267Ch 0x00000018 popad 0x00000019 mov eax, dword ptr [eax+00000860h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007FCDBCDBB72Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360E31 second address: 5360E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360E36 second address: 5360E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, 636C6BB0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f jmp 00007FCDBCDBB72Fh 0x00000014 je 00007FCE2D651631h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007FCDBCDBB72Bh 0x00000022 mov ax, DD2Fh 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7949F second address: A794A9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCDBDA9B2C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8D3920 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8D3A15 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A6FADA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A7F9B5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AF5544 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6856	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6836	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1793514920.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1793300479.000000000145E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1793514920.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792132291.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B5BB0 LdrInitializeThunk,

0_2_008B5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: SProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bathdoomgaz.store:443/api	file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000002.1793300479.0000000001496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.steampowere	file.exe, 00000000.00000002.1793514920.00000000014DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://clearancek.site:443/api	file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	file.exe, 00000000.00000002.1793300479.0000000001496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eaglepawnoy.store:443/api	file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/76561199724331900	file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://studennotediw.store:443/api	file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/lA	file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000002.1793300479.0000000001496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://clearancek.site:443/apii%Vu	file.exe, 00000000.00000002.1793433978.000000000149F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.000000000149F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792245888.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/&&4	file.exe, 00000000.00000002.1793514920.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792132291.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000003.1792132291.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792058958.000000000151F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1792371328.00000000014E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.1792058958.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527554
Start date and time:	2024-10-07 02:57:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
20:58:08	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	MSCy5UvBYg.exe	Get hash	malicious	LummaC, Amadey, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	zncaKWwEdq.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	E7Bu6a7eve.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	fASbbWNgm1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	MSCy5UvBYg.exe	Get hash	malicious	LummaC, Amadey, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	zncaKWwEdq.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	E7Bu6a7eve.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	23.3.160.8
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	172.228.195.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	MSCy5UvBYg.exe	Get hash	malicious	LummaC, Amadey, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	http://buddycities.com/	Get hash	malicious	Unknown	Browse	104.102.49.254
	E7Bu6a7eve.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LKpIHL2abO.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9455335957405575
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'829'376 bytes
MD5:	86fea273d36e3f9c8221e22b937b1929
SHA1:	e21ce70e02939c4afd908c4f3222b52b154fafb0
SHA256:	76ff561ab5532de44b42249c4d686fc75c21bb17fedc8c6ca3af4268388c3bcc
SHA512:	782f5fa9e546d1726c4c2d4bcade48ad6dae82a6cce0af9852f8ee1ea5a8b7fa688a5a2caa04c914974f4738fe2637f7116e454671fbbb460762944ad5704efb
SSDEEP:	49152:H4OyHuFfXfMMepzV58m+WDiClGzOyKWwLW:OHcfkll+WmZ
TLSH:	53853335AF74356EDC2D7AB4F0275F3E76BA4608126F89C3121467E6124F26CDCA682C
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f............................. I...........@..........................PI...........@.................................W...k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x892000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FCDBC60384Ah
bswap eax
sbb eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FCDBC605845h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	b5d661ec609e96bc2545ac36a3203ecc	False	0.9994907693894389	data	7.974967457011881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x29c000	0x200	4b91d5595f02d5d794c83ed94a05159a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kawjnymv	0x2fc000	0x195000	0x195000	84e2a5edfc541b205aefbde7edb779da	False	0.9945041232638889	data	7.953272696615757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ldklrfiv	0x491000	0x1000	0x600	63891b812799fe5876e9a0f1b6b45957	False	0.5748697916666666	data	4.9414712603687905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x492000	0x3000	0x2200	8b0b6386b854f8f6957bb255f69d9e90	False	0.06387867647058823	DOS executable (COM)	0.7907970501923961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T02:58:09.318466+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.4	57803	1.1.1.1	53	UDP
2024-10-07T02:58:09.329281+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.4	58246	1.1.1.1	53	UDP
2024-10-07T02:58:09.339582+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.4	54591	1.1.1.1	53	UDP
2024-10-07T02:58:09.349447+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.4	62241	1.1.1.1	53	UDP
2024-10-07T02:58:09.359313+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.4	50882	1.1.1.1	53	UDP
2024-10-07T02:58:09.371001+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.4	64610	1.1.1.1	53	UDP
2024-10-07T02:58:09.383104+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.4	64933	1.1.1.1	53	UDP
2024-10-07T02:58:09.394735+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.4	59313	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 02:58:09.421432972 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:09.421483994 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:09.421566963 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:09.424839973 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:09.424860001 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.075051069 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.075217962 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.099400997 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.099447966 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.100374937 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.147171974 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.176285982 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.223406076 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.557045937 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.557105064 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.557138920 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.557179928 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.557204008 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.557245970 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.557276011 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.557311058 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.557311058 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.557311058 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.557311058 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.557348013 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.645215034 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.645349026 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.645358086 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.645432949 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.645469904 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 02:58:10.645597935 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.645597935 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.646436930 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 02:58:10.646452904 CEST	443	49730	104.102.49.254	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 02:58:09.318465948 CEST	57803	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.327917099 CEST	53	57803	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.329281092 CEST	58246	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.337796926 CEST	53	58246	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.339581966 CEST	54591	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.348355055 CEST	53	54591	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.349447012 CEST	62241	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.357884884 CEST	53	62241	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.359313011 CEST	50882	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.368262053 CEST	53	50882	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.371001005 CEST	64610	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.380230904 CEST	53	64610	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.383104086 CEST	64933	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.392062902 CEST	53	64933	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.394735098 CEST	59313	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.403562069 CEST	53	59313	1.1.1.1	192.168.2.4
Oct 7, 2024 02:58:09.407999039 CEST	54280	53	192.168.2.4	1.1.1.1
Oct 7, 2024 02:58:09.415338039 CEST	53	54280	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 02:58:09.318465948 CEST	192.168.2.4	1.1.1.1	0xe329	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.329281092 CEST	192.168.2.4	1.1.1.1	0xcc6	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.339581966 CEST	192.168.2.4	1.1.1.1	0x2e2f	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.349447012 CEST	192.168.2.4	1.1.1.1	0x368c	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.359313011 CEST	192.168.2.4	1.1.1.1	0x5d55	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.371001005 CEST	192.168.2.4	1.1.1.1	0xcfd	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.383104086 CEST	192.168.2.4	1.1.1.1	0x9e7d	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.394735098 CEST	192.168.2.4	1.1.1.1	0xd464	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.407999039 CEST	192.168.2.4	1.1.1.1	0x35	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 02:58:09.327917099 CEST	1.1.1.1	192.168.2.4	0xe329	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.337796926 CEST	1.1.1.1	192.168.2.4	0xcc6	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.348355055 CEST	1.1.1.1	192.168.2.4	0x2e2f	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.357884884 CEST	1.1.1.1	192.168.2.4	0x368c	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.368262053 CEST	1.1.1.1	192.168.2.4	0x5d55	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.380230904 CEST	1.1.1.1	192.168.2.4	0xcfd	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.392062902 CEST	1.1.1.1	192.168.2.4	0x9e7d	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.403562069 CEST	1.1.1.1	192.168.2.4	0xd464	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 02:58:09.415338039 CEST	1.1.1.1	192.168.2.4	0x35	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.102.49.254	443	6472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 00:58:10 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-07 00:58:10 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 07 Oct 2024 00:58:10 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=709491e9a614b5bd7a8383b4; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-07 00:58:10 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-07 00:58:10 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	0
Start time:	20:58:07
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x870000
File size:	1'829'376 bytes
MD5 hash:	86FEA273D36E3F9C8221E22B937B1929
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.1%
Total number of Nodes:	54
Total number of Limit Nodes:	6

Executed Functions

Function 008B50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 008B5182

Strings

@^, xrefs: 008B5120
<I$), xrefs: 008B5198
<I$), xrefs: 008B52E3

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 07c7625b903184bf0cdd0ce3907dbc9d157cd73df4cc22242bc3c1ab06026c37
Instruction ID: f11c8e845bbe56a18565ab04ccb544350d40c68fa90cdedbdb6e3de3abc87681
Opcode Fuzzy Hash: 07c7625b903184bf0cdd0ce3907dbc9d157cd73df4cc22242bc3c1ab06026c37
Instruction Fuzzy Hash: 8F219D351083848FC300DF68E890B6AFBF4FB6A300F69882CE1C5D7352D676DA158B56

Function 0087FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 0087FCBE
V, xrefs: 0087FEDC
J|BJ, xrefs: 0088000D
VY^_, xrefs: 0087FDFF

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: e5a76829ffa7ffa368798231f67e8f88b74973584b60f2d08e10daa0342078bb
Instruction ID: c467b6ae6a21ce9693cb408c45bb466cadd45451fef3fa9decba43e017c83a00
Opcode Fuzzy Hash: e5a76829ffa7ffa368798231f67e8f88b74973584b60f2d08e10daa0342078bb
Instruction Fuzzy Hash: 4CD1557550C3809BD311EF199494A1FBBE1FB96B48F28882CE5C98B252C736CD49DF92

Function 0087D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0087D2F1

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f208cdcdcd7391210f55132a82e142fd1f6d4a4955d0e5ba5fa3cf6791a220b0
Instruction ID: 262cf7ce6476b93776f86e56a3025513abe153ec40770eade21454b17c27e67f
Opcode Fuzzy Hash: f208cdcdcd7391210f55132a82e142fd1f6d4a4955d0e5ba5fa3cf6791a220b0
Instruction Fuzzy Hash: DC41147041D340ABD601AB68D588A2EFBF5FF52704F54CC1CE5C8EB216C239E8158B67

Function 008B5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 008B5784

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 798ac9499f77da2d8a0e3e95d0dffffd94df04d361178b3fb8a92d9ee75d86ff
Instruction ID: 03398bc14f6fe5a65731245a72ca4b8906eb2b5143239b70bb35d5810facdb10
Opcode Fuzzy Hash: 798ac9499f77da2d8a0e3e95d0dffffd94df04d361178b3fb8a92d9ee75d86ff
Instruction Fuzzy Hash: 9F118871A18640EBC302AF28E840E5BBBF9EF96710F158828E4C4DB321D735D811CBA7

Function 008B5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(008B973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 008B5BDE

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 008B695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 008B69C5

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8c1bad4a7da8b61af6db107c2e2af29976220b4d14c109dfaeac67e6cf633853
Instruction ID: acc151add0b7a01708223f0c2504ffb9a2a12b5c4dcfa648c4fc528cc5454f72
Opcode Fuzzy Hash: 8c1bad4a7da8b61af6db107c2e2af29976220b4d14c109dfaeac67e6cf633853
Instruction Fuzzy Hash: 653187B15083018FDB18DF18D890B6ABBF1FF85344F44A81CE5C6E7362E33899548B56

Function 0088049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab93d84bd8e8045cfa2bb354dae95482966acfada921d909d6384ea2b7bfb91f
Instruction ID: 64fbdf9fff9cd089fcfdd814014ef6872442d8e101afcf35f11c5de64b644438
Opcode Fuzzy Hash: ab93d84bd8e8045cfa2bb354dae95482966acfada921d909d6384ea2b7bfb91f
Instruction Fuzzy Hash: 74917975200B00CFD724DF25EC94A16B7F6FF89314B158A6CE956CBAA2D731E816CB50

Function 00880228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9eb347989d1b455f87ec7c858af665a7fe34c623b91d4f55f17eab855ca676
Instruction ID: c545ddf1e93989552f8a7fd42de4e9d57b39da7d303f1779e81e6a3a75eccf9d
Opcode Fuzzy Hash: 0b9eb347989d1b455f87ec7c858af665a7fe34c623b91d4f55f17eab855ca676
Instruction Fuzzy Hash: 53715874200B00DFD7259F25EC94F16B7F6FF89315F108A68E9568BA62C731A81ACF50

Function 008B99D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8a58a3782329a26837874972f2ee52c32cd8544862383efa0826e34d742d87
Instruction ID: 175c4cd9a5142a596d305abffea524397ee6d46d15be2f1811e1369c77f836fd
Opcode Fuzzy Hash: be8a58a3782329a26837874972f2ee52c32cd8544862383efa0826e34d742d87
Instruction Fuzzy Hash: 50417D34208310ABDB149A15E890B6FBBF6FB85724F54982CE6CAD7391D331E851CB62

Function 008B63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c99b262de211a85f9ca09d79bd7e3f9f393c0611214a03ff836391252792933b
Instruction ID: 74ed76ad3c4b8d088857314fc3db046d55863688f2deaffa38cdab6a7f0ef104
Opcode Fuzzy Hash: c99b262de211a85f9ca09d79bd7e3f9f393c0611214a03ff836391252792933b
Instruction Fuzzy Hash: 5B31F270209701BADA24DB08CD82F7AB7F1FB85B10F64851CF1819B3E1E374B8618B56

Function 00880EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12588d387dd919632579b773fe74651df9c2847fa1c6e1eb3fbedb29fd5fa066
Instruction ID: 80d59febc04f85a86500d6a79d86c1d08b4edf940129d475efd53a01bf1bc4cb
Opcode Fuzzy Hash: 12588d387dd919632579b773fe74651df9c2847fa1c6e1eb3fbedb29fd5fa066
Instruction Fuzzy Hash: EE2128B490022A9FEB15DF94CC90BBEBBB1FF4A304F144808E911BB292C735A905CF64

Function 008B3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 008B32A6

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a9d3b6ef07bba75f1f76d1d5df9bca936fc1cc342cd003d957ac44c6d5deb415
Instruction ID: ec00f7d8046ac33487624542dce152a4f67f1282625c251e916382284ab5473f
Opcode Fuzzy Hash: a9d3b6ef07bba75f1f76d1d5df9bca936fc1cc342cd003d957ac44c6d5deb415
Instruction Fuzzy Hash: 12014B3450D3409BC701AB18E845A1ABBF8FF4A701F05881CE5C59B361D235DD60CB92

Function 008B3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 008B3208

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a816dad12b854bc88c4eff6330a46eaa959c6cf4eeacaf5655a6bb3b397c8842
Instruction ID: 3bf6c38c45ef07d5b8054ac3007315822a7ca20d5e5b2baa6d0f9b8c24af5027
Opcode Fuzzy Hash: a816dad12b854bc88c4eff6330a46eaa959c6cf4eeacaf5655a6bb3b397c8842
Instruction Fuzzy Hash: BCB01130080200AFEA082B00EC0AF003A20FB00A0AF8000A0A200080B2E2B2A8A8CAA8

Non-executed Functions

Function 0088DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0088DE37, 0088DE46
:WUE, xrefs: 0088F6B7, 0088F6C6
mjkh, xrefs: 0088E7D8
89>?, xrefs: 0088E9F6
tuJK, xrefs: 0088E967
lkji, xrefs: 0088E73E
tsrq, xrefs: 0088E6FC
D, xrefs: 0088E846
WP, xrefs: 0088DCEF
`Y^_, xrefs: 0088E99E
AR, xrefs: 0088DD10
T, xrefs: 0088F157
89&', xrefs: 0088E93B
xgfe, xrefs: 0088E71D
DCBA, xrefs: 0088E887, 0088E896
`onm, xrefs: 0088E733
<=:;, xrefs: 0088E930
()./, xrefs: 0088E9CA
LKJI, xrefs: 0088E6E6
dcba, xrefs: 0088E728
|, xrefs: 0088ECB1
QNOL, xrefs: 0088E775
@ONM, xrefs: 0088E6DB
<=2, xrefs: 0088EA01

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 972e3aa0c24781f65c6e7d5b108415377fbb549ab7c724d43cbc77274a7bcc98
Instruction ID: ffb7177e3077c85b0dda8700a6b8d66403307e853e478a800a446ca7fff3ddd2
Opcode Fuzzy Hash: 972e3aa0c24781f65c6e7d5b108415377fbb549ab7c724d43cbc77274a7bcc98
Instruction Fuzzy Hash: 4AF245B05093819BD770EF14C884BABBBE6FFD5304F14482DE5C99B292DB319985CB92

Function 008A23E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

`tii, xrefs: 008A2693
Cx, xrefs: 008A453D
:, xrefs: 008A32DD
%*+(, xrefs: 008A40EF
3<, xrefs: 008A32D6
mlc@, xrefs: 008A275C
f@~!, xrefs: 008A25FF
aenQ, xrefs: 008A276A
fedc, xrefs: 008A2782
|}&C, xrefs: 008A2F21
{l`~, xrefs: 008A268C
ggxz, xrefs: 008A2685

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 1f47a41863e000aaf6a045bdb2b58dbcd8fe1bbe0a7740c9b1d75849668ed54d
Instruction ID: 4131f86728508162a922de81275314e5cfd0d148230acb0318faad5a819c318c
Opcode Fuzzy Hash: 1f47a41863e000aaf6a045bdb2b58dbcd8fe1bbe0a7740c9b1d75849668ed54d
Instruction Fuzzy Hash: B1339A70504B818BE7258F38C590B62BBE1FF57304F58999DE4DA8BB92C735E806CB61

Function 00899F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

sm, xrefs: 0089A830
_Y, xrefs: 0089A641
%e6g, xrefs: 0089A152
/), xrefs: 0089A66D
(a*c, xrefs: 0089A147
kW, xrefs: 0089A380
WH, xrefs: 0089AA1C
WQ, xrefs: 0089A62B
?m,o, xrefs: 0089A13C
S], xrefs: 0089A636
CG, xrefs: 0089AA32
hi, xrefs: 0089AB9D
=], xrefs: 0089A36A
]{, xrefs: 0089A1E7, 0089A1F3
N[, xrefs: 0089A375
Gt, xrefs: 00899FF8
JG, xrefs: 0089AA27

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 539dbc9529fe435a2877974e9473bafcfc8bf3107b42bf2e5ac95494f18d355e
Instruction ID: e4734f0edae7665e437195cd56555eab789a1bc6848072d9652006512aac820d
Opcode Fuzzy Hash: 539dbc9529fe435a2877974e9473bafcfc8bf3107b42bf2e5ac95494f18d355e
Instruction Fuzzy Hash: D652B6B404D385CAE274CF25D581B8EBAF1BB92740F648A1DE1ED9B255DBB08045CF93

Function 00899510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

pq, xrefs: 008999E0
O+f), xrefs: 00899634, 0089963D
G+X5, xrefs: 00899AF3
B?Q9, xrefs: 00899B0B
2A"_, xrefs: 00899980
G'M!, xrefs: 00899ADB
!E4G, xrefs: 00899836
?M0K, xrefs: 00899968
z=Q?, xrefs: 00899826
8;, xrefs: 00899B13
B7U1, xrefs: 00899AFB
X/R), xrefs: 00899AEB
L3Y=, xrefs: 00899B03
;IJK, xrefs: 0089983E
T#a-, xrefs: 00899AE3
,A&C, xrefs: 0089982E

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 0e0d6127bc8d18c9ba12404475a13b7679592f7c93f33a7b09a730bcbff6f2f5
Instruction ID: 6c4c0e06f10204ca3bf88b429b5f8d699cf0d50630e8addba170ad1d0dfe7a5d
Opcode Fuzzy Hash: 0e0d6127bc8d18c9ba12404475a13b7679592f7c93f33a7b09a730bcbff6f2f5
Instruction Fuzzy Hash: 12F141B0508384ABD710EF59D881A2BBBF4FB96B88F084D1CF4D99B252D334D944CB96

Function 0089DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

{E, xrefs: 0089E323
=]+_, xrefs: 0089E276
-M2O, xrefs: 0089E25A
hX]N, xrefs: 0089DDC7
n\+H, xrefs: 0089DDC0
<Y.[, xrefs: 0089E27D
)IgK, xrefs: 0089E261
,Q?S, xrefs: 0089E26F
%*+(, xrefs: 0089E143
Y9N;, xrefs: 0089E245
upH}, xrefs: 0089DE8A, 0089E798, 0089DF4A

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: 193277eac59ab0b09258d521615f619bc75d651a2c9e996bd3bf67b459fc68de
Instruction ID: f255a1309654274648c251f97342c70a183d9e3cd976c39a9e4dd11f3023b6b2
Opcode Fuzzy Hash: 193277eac59ab0b09258d521615f619bc75d651a2c9e996bd3bf67b459fc68de
Instruction Fuzzy Hash: 6C92D471E00215CFDF14CF68D891AAEBBB2FF4A310F298168E455AB392D735AD41CB91

Function 00A33AAD Relevance: 11.6, Strings: 8, Instructions: 1572COMMON

Download Yara Rule

Strings

'\", xrefs: 00A33BE5
~MZ, xrefs: 00A34947
Q[,, xrefs: 00A34DEB
3?, xrefs: 00A34179
(DE[, xrefs: 00A33FE9
Ul_, xrefs: 00A34739
<)i, xrefs: 00A34A37
?or, xrefs: 00A33CA9

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: '\"$(DE[$<)i$?or$Q[,$Ul_$~MZ$3?
API String ID: 0-74434454
Opcode ID: 573e1fd556f880871609d13d1e6fc622763fc87605a944e35c233f2b26871225
Instruction ID: 39c734d715279fdce3ed395ce8d53ebf9151c7bd3bc191ed5b55f015583d002c
Opcode Fuzzy Hash: 573e1fd556f880871609d13d1e6fc622763fc87605a944e35c233f2b26871225
Instruction Fuzzy Hash: 9AB227F3A086049FE3046E2DEC8577ABBE5EF94720F1A853DEAC4C7744EA3558058687

Function 00A306B3 Relevance: 11.5, Strings: 8, Instructions: 1471COMMON

Download Yara Rule

Strings

aII], xrefs: 00A30774
^n#\, xrefs: 00A31680
>yw, xrefs: 00A31163
aBOS, xrefs: 00A30926
'hW{, xrefs: 00A30FEF
!~xy, xrefs: 00A31528
_fnc, xrefs: 00A30DA3
^n#\, xrefs: 00A31662

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: !~xy$'hW{$>yw$^n#\$^n#\$_fnc$aBOS$aII]
API String ID: 0-607618633
Opcode ID: a970a24b4c0bd4007985fe9da73b60d56c4965ff7b3f7347038ee048bab9838b
Instruction ID: 91b62d9b45ae5d4f158797a870080c5c736f14dbe6b5e67dbf122e8ed3fb84e1
Opcode Fuzzy Hash: a970a24b4c0bd4007985fe9da73b60d56c4965ff7b3f7347038ee048bab9838b
Instruction Fuzzy Hash: 6BA208F360C204AFE308AE2DEC4567ABBE5EBD4720F16853DEAC5C3744EA3558058697

Function 0089098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

&> &, xrefs: 00890F89
,#15, xrefs: 00890F94
qrqp, xrefs: 00891089
gce/, xrefs: 00891073
{, xrefs: 00891502
%*+(, xrefs: 00890A77, 00890A86
9.5^, xrefs: 00890F9F
cah`, xrefs: 0089107E

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 15e84c4fd797e9cec5b7ecd4725bc18bbd367bc2bc0569d1cef7e74955052174
Instruction ID: 3b9e23094a00e093a3618db023dae8e86d0a8b466c9fa4add143fd2a0d9d4904
Opcode Fuzzy Hash: 15e84c4fd797e9cec5b7ecd4725bc18bbd367bc2bc0569d1cef7e74955052174
Instruction Fuzzy Hash: AE6287B16083818FDB30DF18D895BABBBE1FB96354F08492DE49A8B641E3759940CF53

Function 00871000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00872226
-, xrefs: 008721ED
0123456789ABCDEFXP, xrefs: 0087157D, 008715EB
0123456789abcdefxp, xrefs: 00871587, 008715F8
gfff, xrefs: 008722E1
@, xrefs: 00872C40
gfff, xrefs: 00872297

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: aa8ffdbe62de151afeacfed83cb794a278fdda39e5ac8107b6b2e8bb925ab888
Instruction ID: 4d3f17a378ee432f865c9682c151253b16bf28802adad5c1bd8d310909d2b08d
Opcode Fuzzy Hash: aa8ffdbe62de151afeacfed83cb794a278fdda39e5ac8107b6b2e8bb925ab888
Instruction Fuzzy Hash: 00D2E0316087518FD718CE28C89436ABBE2FBD5314F18CA2DE499CB39AD774D945CB82

Function 00A38BF3 Relevance: 10.4, Strings: 7, Instructions: 1635COMMON

Download Yara Rule

Strings

;O{v, xrefs: 00A3962C
G]KM, xrefs: 00A39961
"}, xrefs: 00A394B7
pp_O, xrefs: 00A39AC4
W{, xrefs: 00A39DA0
5!~{, xrefs: 00A39420
*?, xrefs: 00A38CD9

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: "}$*?$5!~{$;O{v$G]KM$pp_O$W{
API String ID: 0-3114465886
Opcode ID: a8f202137d06e40580cff744b8c3fad92661f96c374b60d98f39a45cf9f3327c
Instruction ID: ecaaf34527c9e640337b60cc80a7e1d05cebaf76f69618a381f576c4cefb182c
Opcode Fuzzy Hash: a8f202137d06e40580cff744b8c3fad92661f96c374b60d98f39a45cf9f3327c
Instruction Fuzzy Hash: B8B249F3A0C2109FE3046E2DEC8566ABBE9EF94720F1A493DE6C4D3744E63598058797

Function 00A41394 Relevance: 9.1, Strings: 6, Instructions: 1614COMMON

Download Yara Rule

Strings

drw, xrefs: 00A41CED
zas, xrefs: 00A426A6
MR6, xrefs: 00A4230E
LNo, xrefs: 00A413B1
Eo7}, xrefs: 00A4190D
a)v, xrefs: 00A41BB0

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: Eo7}$LNo$MR6$a)v$drw$zas
API String ID: 0-1394886629
Opcode ID: a5335bf7ce988585536d145dffe1a7f57a9fd867f6dc02176e652ba4eec0bb96
Instruction ID: c217957060ac951bf08971c955d4524f7a443cc849e9bd3ba0bf1bc6c8856802
Opcode Fuzzy Hash: a5335bf7ce988585536d145dffe1a7f57a9fd867f6dc02176e652ba4eec0bb96
Instruction Fuzzy Hash: 17B219F360C2049FE3046E29EC8567ABBE9EF94720F1A853DE6C4C7744EA3598058797

Function 00A3A7AD Relevance: 9.1, Strings: 6, Instructions: 1560COMMON

Download Yara Rule

Strings

N@Ot, xrefs: 00A3AA43
a~{, xrefs: 00A3AA75
5E7w, xrefs: 00A3AE43
w&|?, xrefs: 00A3B91C
lU, xrefs: 00A3B8CB
:y, xrefs: 00A3B3EF, 00A3B4CD, 00A3B951, 00A3B96F

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 5E7w$N@Ot$a~{$lU$w&|?$:y
API String ID: 0-166167866
Opcode ID: 1065a3b78066d6f6df20170abbc8a15e779f33f435e408c7265265a07232c6be
Instruction ID: 9e95bab22863e44a6a700118247307aaf0b5a89a1b3e7e3f24c9b4bb03f259a4
Opcode Fuzzy Hash: 1065a3b78066d6f6df20170abbc8a15e779f33f435e408c7265265a07232c6be
Instruction Fuzzy Hash: 50B2C3F3A082109FE3046E2DEC8567ABBE9EF94720F1A493DE6C5C7340E63598158697

Function 00A3C505 Relevance: 8.8, Strings: 6, Instructions: 1348COMMON

Download Yara Rule

Strings

GJkw, xrefs: 00A3CB28
@w,, xrefs: 00A3D47E
VW{k, xrefs: 00A3CB3C
@pM=, xrefs: 00A3CCF3
/}, xrefs: 00A3D35F
i)_, xrefs: 00A3CDD3

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: /}$@pM=$GJkw$VW{k$i)_$@w,
API String ID: 0-2194019174
Opcode ID: 9b45452b4fd6e34af0b76d5fdec0c621f6b3ff5d5e3f3b2ebfe2f32d1d7d51e8
Instruction ID: a9845c6054d2fb8a709cd053fd3af4806e4a11ad9b2efe1a206c2a0e66d819ff
Opcode Fuzzy Hash: 9b45452b4fd6e34af0b76d5fdec0c621f6b3ff5d5e3f3b2ebfe2f32d1d7d51e8
Instruction Fuzzy Hash: 249206F360C2109FE304AE2DEC8567AFBE9EF94320F16493DEAC487744EA3558058697

Function 00A2E960 Relevance: 7.9, Strings: 5, Instructions: 1677COMMON

Download Yara Rule

Strings

:ku0, xrefs: 00A2EF26
ho{=, xrefs: 00A2F4F2
T{=/, xrefs: 00A2F45F
OO/O, xrefs: 00A2EC9B
WB=, xrefs: 00A2F5ED

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: :ku0$OO/O$T{=/$WB=$ho{=
API String ID: 0-1462554723
Opcode ID: b3c3979dd5307b550e3f8facfe52f1396232a244b0df5ba53a755a0bf9d46a12
Instruction ID: fe0955fcd2b1cc46009c1655004a2849ac7db0c4b672b2a2f91acae205ee65e0
Opcode Fuzzy Hash: b3c3979dd5307b550e3f8facfe52f1396232a244b0df5ba53a755a0bf9d46a12
Instruction Fuzzy Hash: 8BB239F3A0C2149FE304AE2DEC8567AFBE9EF94720F16463DEAC4C3744E57598048696

Function 008712F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 00871E88
0, xrefs: 00871DC1
i, xrefs: 008728EA
@, xrefs: 00873531
0, xrefs: 0087243E

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 35f660f117f02869cb97a775de28c30c37c68922572005e852371088089fa47a
Instruction ID: 41a15b8bd1042436993d40958bd2e43a68e6137b841439f948d275335d6857c4
Opcode Fuzzy Hash: 35f660f117f02869cb97a775de28c30c37c68922572005e852371088089fa47a
Instruction Fuzzy Hash: 2E62CC7160C3818BC719CE28C49476ABBE1FBD5318F18CA2DE8D9C7299D774D949CB82

Function 0087164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

gfff, xrefs: 00871F3C
+, xrefs: 00871573
0123456789ABCDEFXP, xrefs: 0087164F
0123456789abcdefxp, xrefs: 00871659
gfff, xrefs: 00871F57

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 5bee0c4ff21f2354605363fe1a55e1b68fd9a264f6fa3c89d601d2910d370edb
Instruction ID: 718539758881a6999eeb5bfe482794d3191bae8fee856b8e8e147663c4daff60
Opcode Fuzzy Hash: 5bee0c4ff21f2354605363fe1a55e1b68fd9a264f6fa3c89d601d2910d370edb
Instruction Fuzzy Hash: 76F18E3160C7818FC719CE29C48466AFBE2BBD9308F18CA6DE4D9C735AD634D945CB92

Function 008713A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

gfff, xrefs: 00871F3C
0123456789ABCDEFXP, xrefs: 008713A3
0123456789abcdefxp, xrefs: 008713AD
-, xrefs: 00871F23
gfff, xrefs: 00871F57

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: f7d0d57c9d0217f6908efed5bd553fce7a40c6d9b9def480200b513512c83970
Instruction ID: 545ccad607d52e38cffd5a03416db20e9a7d1f79aefa6ec8d279897864fe7625
Opcode Fuzzy Hash: f7d0d57c9d0217f6908efed5bd553fce7a40c6d9b9def480200b513512c83970
Instruction Fuzzy Hash: 92D16E356087818FC719CE29C48466AFFE2BBD9308F08CA6DE4D9C735AD634D949CB52

Function 00A32014 Relevance: 6.6, Strings: 4, Instructions: 1574COMMON

Download Yara Rule

Strings

he?, xrefs: 00A321C8
3p:l, xrefs: 00A332E4
'4r^, xrefs: 00A32467
AFq{, xrefs: 00A3230A

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: '4r^$3p:l$AFq{$he?
API String ID: 0-1143560793
Opcode ID: 990eaa7a851acba05d8df6c6d8717727c43d6051634eeb9c07b6ff556e92a339
Instruction ID: 7ea57825831b4397024ab15674820e184e4e330d469a0c59bed5fd719c131d45
Opcode Fuzzy Hash: 990eaa7a851acba05d8df6c6d8717727c43d6051634eeb9c07b6ff556e92a339
Instruction Fuzzy Hash: 36B203F360C2049FE308AE29EC4567AFBE9EF94720F16892DE6C4C3744EA3558458797

Function 00A37835 Relevance: 6.1, Strings: 4, Instructions: 1072COMMON

Download Yara Rule

Strings

F. i, xrefs: 00A384E0
b!?w, xrefs: 00A3840B
-2j, xrefs: 00A3803A
L|m, xrefs: 00A379F8

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: -2j$F. i$L|m$b!?w
API String ID: 0-3195604188
Opcode ID: cb831868b7543dac5ab6fae8cf06819a900c55b47ca34956b13ed735505ba4c6
Instruction ID: 34dcf3643cb63d0e413155473d923ecbf3aa7e75da4b34adfe06e3a2cdbff6b8
Opcode Fuzzy Hash: cb831868b7543dac5ab6fae8cf06819a900c55b47ca34956b13ed735505ba4c6
Instruction Fuzzy Hash: 16626CF3A0C2149FE3046E2DEC8567AFBE9EF94320F1A463DEAC4D3744E97558058692

Function 0089FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 0089FE95
NA_I, xrefs: 008A036D
m1s3, xrefs: 0089FEC3, 0089FECB
:, xrefs: 008A0087

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 5e2e039885de7ffa87c40c571ea8ae227f984a981935c16e4352430fc85aebcd
Instruction ID: 695bc8b24df36647144afe18825d60fccac62778ed4ae4fb38654210f06fdc34
Opcode Fuzzy Hash: 5e2e039885de7ffa87c40c571ea8ae227f984a981935c16e4352430fc85aebcd
Instruction Fuzzy Hash: 8B3296B0908380DFE711DF29D884A2ABBE1FB8A354F144A2CF5D58B2A2D335D955CF52

Function 00883BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00883EC4
p, xrefs: 00883C80
;z, xrefs: 00883C87
ss, xrefs: 00883C79

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: e002ee913b47b5e49e2201c63f7a0a47c17b5f4c544c17be9eb9a26ef2dec231
Instruction ID: 3d7ea376f8449319d9308fcff4f43cff78bd1f0a9c3c5a47601d863965910bd3
Opcode Fuzzy Hash: e002ee913b47b5e49e2201c63f7a0a47c17b5f4c544c17be9eb9a26ef2dec231
Instruction Fuzzy Hash: EC024BB4810B00EFD760EF28D986756BFF5FB01700F50895DE89A9B656E330E459CBA2

Function 00A3F7BB Relevance: 5.4, Strings: 3, Instructions: 1641COMMON

Download Yara Rule

Strings

?}, xrefs: 00A40617
?, xrefs: 00A3FF3C
%oWg, xrefs: 00A3FE94

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %oWg$?}$?
API String ID: 0-3613953193
Opcode ID: adc9b60c5089282dd57f176805a42e1c2369fdaadf62b55f4df0dc7dfec575d2
Instruction ID: a91a3cfbe917123a1142b99db46fcf01685c91078f8457d5ae1ff8784f285af5
Opcode Fuzzy Hash: adc9b60c5089282dd57f176805a42e1c2369fdaadf62b55f4df0dc7dfec575d2
Instruction Fuzzy Hash: D1B209F3A086149FE3046E2DDC8577ABBE9EF94320F16863DEAC4C3744EA3558058796

Function 00892260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

sj, xrefs: 00892327
a|, xrefs: 00892317
lc, xrefs: 00892507
hu, xrefs: 0089232F

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: ba158d0173ae452cac58598f6feac64e58016fd360be5c59536424e84bdd7319
Instruction ID: ee306bd282505da03534c38b6aed8b4313caa8e92a398eefbf86b60afe25691e
Opcode Fuzzy Hash: ba158d0173ae452cac58598f6feac64e58016fd360be5c59536424e84bdd7319
Instruction Fuzzy Hash: 54A18B744083419BCB20EF18C891A2BF7F0FFA5754F589A0CE8D99B2A1E335D945CB96

Function 0089D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

T>, xrefs: 0089D984
CV, xrefs: 0089D98B
#', xrefs: 0089D9EA
KV, xrefs: 0089D97D

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 9372bd6ec487de8752ef4487e49aaf7b5e3494a870b9add2c2c4afd2c8d5f900
Instruction ID: 604396b5af8ffde02b717776b7886e63bfc279c395218a47cdc1d6bfe5ab14c1
Opcode Fuzzy Hash: 9372bd6ec487de8752ef4487e49aaf7b5e3494a870b9add2c2c4afd2c8d5f900
Instruction Fuzzy Hash: 0D8146B48017459BDB20EF95D28515EBFB1FF12300F645A0CE486ABA55C330AA65CFE7

Function 0089AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

4c2a, xrefs: 0089ACA9
lk, xrefs: 0089ACBC
(g6e, xrefs: 0089ACA1
,{*y, xrefs: 0089AD07, 0089AD13

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 6bb32c273a4cdacf9f7f90e97c9e91e520fcac2c6d8577ac508f0070e41586ac
Instruction ID: d5d5dc71c5f6b4e6ccf16a35c40fd25caf2db15dc954ba695dd5f15d9beac570
Opcode Fuzzy Hash: 6bb32c273a4cdacf9f7f90e97c9e91e520fcac2c6d8577ac508f0070e41586ac
Instruction Fuzzy Hash: 0B4193B4408381CBDB209F24D944BABB7F0FF86305F58995DE5C897221EB32D944CB96

Function 0089C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 0089C537
%*+(, xrefs: 0089C8C3, 0089C8CB
%*+(, xrefs: 0089C9E4, 0089C9ED

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 26f1ccf748249770aabc700c2953d9e378ab0d5496bbf284d5194a1f7183108d
Instruction ID: bb4093418fc78e393348ef1b85da2e531147b9dd395859d40a1526264b8a79f4
Opcode Fuzzy Hash: 26f1ccf748249770aabc700c2953d9e378ab0d5496bbf284d5194a1f7183108d
Instruction Fuzzy Hash: 3DE198B5518344DFEB20AF68D885B5BBBF5FB96344F48882CE5C987252D732D810CB92

Function 008B4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 008B40A4, 008B40AD
f, xrefs: 008B420C

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 7ad5cc46dc5064fe13ffb3ec14a42fbfff55ca75fb62d43d89c2506ff885b4aa
Instruction ID: f3f4a65933b61e8552121525ecff6f22123950b0f99b540b89f1c876370bbf73
Opcode Fuzzy Hash: 7ad5cc46dc5064fe13ffb3ec14a42fbfff55ca75fb62d43d89c2506ff885b4aa
Instruction Fuzzy Hash: C81289716083419FC715CF18C881BAABBE6FB89314F188A2CE495DB392D731E945CB92

Function 008AF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 008AF6E6
dg, xrefs: 008AF7F5

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 566430531e72dcc936b0b19c210f9afd4b5ba392a5fce97ebbebcb74ee30a57d
Instruction ID: cfeb798f3a761af46c4ce5215ee0ccde7c92504b9069ed42d65a330f078b561f
Opcode Fuzzy Hash: 566430531e72dcc936b0b19c210f9afd4b5ba392a5fce97ebbebcb74ee30a57d
Instruction Fuzzy Hash: D3F18471618341EFE314CF64D891B6ABBF6FB86354F14896CF1858B2A2CB39D845CB12

Function 008735B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 0087360E
Inf, xrefs: 00873607

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 0bc9c2964c3d17f0c9da73c90e1a4f23ca83ce4f7f255b4c494ed5adac1fc9fb
Instruction ID: 3e1a38b301d2bb04340c972170a8607cba9e62980527b8682a6857674f41b726
Opcode Fuzzy Hash: 0bc9c2964c3d17f0c9da73c90e1a4f23ca83ce4f7f255b4c494ed5adac1fc9fb
Instruction Fuzzy Hash: 3ED1B272A187119BC704CF28C88061ABBE1FBC8750F15CA3DF999D73A4E671DD459B82

Function 0088FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

BaBc, xrefs: 00890197
Ye[g, xrefs: 008900F6

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 25d889016da445e07bc2c1cb8d864cd04d471284b76ce253e994a76dc89f21b6
Instruction ID: f4f8eec1c6d2d757a566f9de4f26a2c3569daf401db01597a34524b03c9a17cf
Opcode Fuzzy Hash: 25d889016da445e07bc2c1cb8d864cd04d471284b76ce253e994a76dc89f21b6
Instruction Fuzzy Hash: 7E5198B16083858EDB31EF18C885BABB7E4FF96320F18491DE49ACB651E3749940CB57

Function 00875160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 008754C8

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: cf271570281d6f78331f32fc6301185e6e5677ddf9644d3f6eb9ce2ab60aead8
Instruction ID: 634e08e1798f42162db8e1d8ac3d9268b0025202193085bc1fdc9692754eb5d5
Opcode Fuzzy Hash: cf271570281d6f78331f32fc6301185e6e5677ddf9644d3f6eb9ce2ab60aead8
Instruction Fuzzy Hash: F622C0B2A08B468BE7198E188840726BBA2FFA1348F19C56DD85DCB359E7F1DC45C742

Function 008A12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 008A15D1

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 768bdd19c46684e58fcf6130518be9f5fea642eaec69362e97440e75cf662fac
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: CCF14571A083414FEB24CE28848862BBBE6FFD6354F08C56DE89AC7782D634DC04C792

Function 0089AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0089B2D3, 0089B2DB

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 823884c65cb47ef1dae6604cf326ee3f9b3c04810d12e2c209f1e1308328e3d4
Instruction ID: f27067fcfe4623dd1fe3e64bedaa8ba9f295fac8acac056f034818fc43b1f31e
Opcode Fuzzy Hash: 823884c65cb47ef1dae6604cf326ee3f9b3c04810d12e2c209f1e1308328e3d4
Instruction Fuzzy Hash: 88E1CA71508706DBCB14EF28D88096EB3F2FF99791F58891CE4C587221E331E999DB82

Function 00886EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00886EF3

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a77ebe277e0a6ab454a1fea570401308bae4cc9a001dcdeed3e691fc923d6aa1
Instruction ID: b4e7e7b37a4bc5003f30c04b1590771f337d811407e87b6193733493e295e1e8
Opcode Fuzzy Hash: a77ebe277e0a6ab454a1fea570401308bae4cc9a001dcdeed3e691fc923d6aa1
Instruction Fuzzy Hash: 26F19FB5600A05CFC724AF28D891A26B7F2FF48315B148A2DE597C7692FB31F865CB41

Function 00897E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00898263, 0089826B

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 262ab141b34803a773a1520e16c7d21970eb2fd43d69d2aa28aa83d0bdc01251
Instruction ID: e5faa5a59f39f17153f128c61f349ee030776b3ad8e9cc9927cdf87742f5d96a
Opcode Fuzzy Hash: 262ab141b34803a773a1520e16c7d21970eb2fd43d69d2aa28aa83d0bdc01251
Instruction Fuzzy Hash: 60C18D71508201EBDB10AB18C882A2BB7F5FF96754F088818F8C9D7251E735ED55DBA3

Function 00898D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00899233, 0089923B

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 18b85a98b3ddd5b455a4678392d9a307ddfc831668db5aae8c57c01547cab42b
Instruction ID: 278f1be3a6cd5a581e80e1a1ac426e497887e6e11ec5259c0410f4dfb466aa30
Opcode Fuzzy Hash: 18b85a98b3ddd5b455a4678392d9a307ddfc831668db5aae8c57c01547cab42b
Instruction Fuzzy Hash: 8CD1AA70618302DFDB04DF68D890A2AB7F5FF89354F09896CE986C72A1DB35E890CB51

Function 008B7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 008B8167

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 1877489421b9d95db9ed04d2d1c46cdda30377eb8a82a34d45bf9d3511b905a8
Instruction ID: 1e31228237163cce9448235f7e2871a2fa688077835600836329cd054b4ab377
Opcode Fuzzy Hash: 1877489421b9d95db9ed04d2d1c46cdda30377eb8a82a34d45bf9d3511b905a8
Instruction Fuzzy Hash: A3D1F2729083658FC725CE18D89079EB6E5FB84718F198A2CE9B5AB380DB71DC46C7C1

Function 0089CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0089CDC3, 0089CDCB

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 82b271820681136a6fa5d04909c62935dfa92341460e22afeddd1a2e4df92d62
Instruction ID: b32434be2c605ef3ee1e0704a065e91b4bf78997b902eaf9d933eae22f1a76c4
Opcode Fuzzy Hash: 82b271820681136a6fa5d04909c62935dfa92341460e22afeddd1a2e4df92d62
Instruction Fuzzy Hash: CDB100716083058BDB14EF18D880A2BBBE2FF95344F18482CE5C6CB351E736E855CB96

Function 008AFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 008AFCA4, 008AFCAD

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 607ef0e16a9020e041e936351fdc47558337a296ebcd0785b923ddb2ee9be6ba
Instruction ID: 866bebc3f234f783cc17650d451722763fcce558d4db2b7a256e9046a5e0609c
Opcode Fuzzy Hash: 607ef0e16a9020e041e936351fdc47558337a296ebcd0785b923ddb2ee9be6ba
Instruction Fuzzy Hash: 2081AC70518304EFE711DF98D884A2AB7F5FB9A705F04882CF684D7292DB31E854CB62

Function 0088D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0088D663, 0088D66B

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: e0b6465b6ee9741fe7409bbe161c32302de4ca16731cd3de54ae83a15c61b9f4
Instruction ID: 5c6fe79d3ef56c8592f34af44b3262578defd31cca349c267bede97a9d25771d
Opcode Fuzzy Hash: e0b6465b6ee9741fe7409bbe161c32302de4ca16731cd3de54ae83a15c61b9f4
Instruction Fuzzy Hash: 1861BFB1908314DBD710EF18DC82A2AB3B5FF95354F08492EF989CB291E331E911CB92

Function 008B4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 008B4C33, 008B4C3B

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: bdff8b7de6a8f601c05e2534cf4b6e4c121becb7e9778f939e977319c6d17442
Instruction ID: 16523ac5b4755307c08a9e3c23a7640f5a124f8a815acd290c625cb8cf56a062
Opcode Fuzzy Hash: bdff8b7de6a8f601c05e2534cf4b6e4c121becb7e9778f939e977319c6d17442
Instruction Fuzzy Hash: C561EF716083059BDB11DF59C891B6ABBE6FB84724F28991CE6C8C73A2D771EC40CB52

Function 009DF18E Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

7%';, xrefs: 009DF1E0

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 7%';
API String ID: 0-435208270
Opcode ID: 9b9d5104899430f7af5395152b2e4c475dd77ef75d79204d818e86589529a792
Instruction ID: 98323df0000fb3ae9ddb635f1b0cb10c9ef90baa8a93fe034225b5f0a63d0e7f
Opcode Fuzzy Hash: 9b9d5104899430f7af5395152b2e4c475dd77ef75d79204d818e86589529a792
Instruction Fuzzy Hash: B251DCF3A087004BE708AE38ECD537AB7E1DF94310F16863DDAD587384EA7958158786

Function 0087E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0087E333

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 2958d26bcd7eeaac9e049fd562e984a613d502da6846ca66d8c612e0de4b6809
Instruction ID: f461831f8610105783f0f8ab1efbd5602c2354b5733537d0d6ed774edd755c84
Opcode Fuzzy Hash: 2958d26bcd7eeaac9e049fd562e984a613d502da6846ca66d8c612e0de4b6809
Instruction Fuzzy Hash: 87512933B196904BD324893C4C553697B876BDA338B3DC7A9E9F9CB3E9D555C8004390

Function 008B3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 008B39E3, 008B39EB

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: db7d98c6a642b0fdd470f861d5014a2915e0dab2893bdc6cdc84cfc7b62710ad
Instruction ID: 95e9a16618e4c14120a0e45563260ae61d84dc43dec61983390664a6b159b291
Opcode Fuzzy Hash: db7d98c6a642b0fdd470f861d5014a2915e0dab2893bdc6cdc84cfc7b62710ad
Instruction Fuzzy Hash: 28519D34609610DBCB24DF19D880A6ABBE5FB86744F24881CE4CAD7351D771EE50CB62

Function 00881BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00881C3E

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: f4f70013fe6f9fe9fb249fc6e840928d6e7b149e9e27d2eadc2e05528a850541
Instruction ID: 9dde1a8c4d5d5ed7eec8bc2e1d44f4061105b0192606ea83220bdd4d81454302
Opcode Fuzzy Hash: f4f70013fe6f9fe9fb249fc6e840928d6e7b149e9e27d2eadc2e05528a850541
Instruction Fuzzy Hash: DD4153B40083849BCB14AF24D894A2FBBF4FF86314F04991CF5C59B291DB36D905CB56

Function 008AFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 008B0033, 008B003B

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 59a8adcf784546d11688448926b5149adc724393901f4be7f66e945d3d8cf1bc
Instruction ID: aac806e3a8a54f1cb495d5ce513bd0d64aba8c66626745e4fc9700e446c50798
Opcode Fuzzy Hash: 59a8adcf784546d11688448926b5149adc724393901f4be7f66e945d3d8cf1bc
Instruction Fuzzy Hash: 673103B1908705ABD610FA58DC81F6BB7E8FB85748F144828F984D7352E631EC15CBA3

Function 0089E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0089E6A2

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 8b8627ffc6a7572c5ac938c1738c63ec28fa0c64b3f6bdf3f91fd1d8320ba6e2
Instruction ID: 10c4fece94867b1474ea6673a8341d315a5d1bcdf4dba772fc28cf1687818f92
Opcode Fuzzy Hash: 8b8627ffc6a7572c5ac938c1738c63ec28fa0c64b3f6bdf3f91fd1d8320ba6e2
Instruction Fuzzy Hash: 9031B1B5900204DFDB20DF99E8849AEFBB4FB1A745F584428E446E7302C331A904CBA2

Function 00886F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0088703B

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5b20bd5e9746d63f892eea571f0bd44a8b7b9ae3e4b5842aa6ec182a4f6495cc
Instruction ID: 0cd40e3f91ddc2457a4b1bad86852f7623fc7c22f68499bb05795b3c11048afc
Opcode Fuzzy Hash: 5b20bd5e9746d63f892eea571f0bd44a8b7b9ae3e4b5842aa6ec182a4f6495cc
Instruction Fuzzy Hash: E3415471204B04DBDB359B65C994F26BBF2FB09704F24891CE68A9BAA1E331F8508B10

Function 0089E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0089E6A2

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: cd53a582fee8e4f543b65648bba59e73f0fdfe0c3787a3cacb066c628507211a
Instruction ID: 0f69f05b9fb423a39b739ba6ccb9f8e53a4b31c50db88f4bfc55d30b420d9703
Opcode Fuzzy Hash: cd53a582fee8e4f543b65648bba59e73f0fdfe0c3787a3cacb066c628507211a
Instruction Fuzzy Hash: 34218DB5901204DFCB20DF99D9C496FBBB5FB1A745F58481CE446EB342C335A904CBA2

Function 008B9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 008B9D30

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a1dc4f337f3b7fc62edb9f24eb50529ca41552f9c138615a0c284cf7918f4a16
Instruction ID: 605228367f2ae1f0a99435d7a3ac45a166c1039d1bb32bbb5b866994193c81d2
Opcode Fuzzy Hash: a1dc4f337f3b7fc62edb9f24eb50529ca41552f9c138615a0c284cf7918f4a16
Instruction Fuzzy Hash: DF3147705093009BD714DF19D880A6AFBF9FF9A354F18892CE6C897351D335E944CBA6

Function 00884E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801e07f3ba21a49a0f22635991fed7473740809d208c294d584f875327b1b3cf
Instruction ID: c68a0f71c1aa2b1df8050c810c407b1c7e84dbf0ec05dc64669dac592de3d58d
Opcode Fuzzy Hash: 801e07f3ba21a49a0f22635991fed7473740809d208c294d584f875327b1b3cf
Instruction Fuzzy Hash: E26235B4500B018FD725EF28D990B26B7E6FF5A704F58896CD49ACBA52E734F804CB91

Function 0087BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 4adaee0a1965531dde3aa0aa609daaecfd2e657c1e7fc32bb16ca2d8da247437
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 2952F5319087158BC7259F1CD4802BAB3E1FFD5319F298A2DD9DAD3289DB34E851CB86

Function 008B8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af177bca566cb0fad30b232046d9e9a1f2324d4fd1784cf47a86e865b05d86e
Instruction ID: f5a59d9d405912ee69f7a9df262760b5238186e09843101f4b843bb63073d855
Opcode Fuzzy Hash: 5af177bca566cb0fad30b232046d9e9a1f2324d4fd1784cf47a86e865b05d86e
Instruction Fuzzy Hash: 25229A35608341DFC704DF68E8A0A6ABBF1FB8A315F09896DE5C987361D735D990CB42

Function 008B86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b332561723f5f20ac6bedeac8c785c3832d2f4ec4d2b13056459422b4ab0cb
Instruction ID: 4b246cb17a9c48379c327a54b0e89355552d2b478ba6ac6fe2a67b0c0de6ebaf
Opcode Fuzzy Hash: 15b332561723f5f20ac6bedeac8c785c3832d2f4ec4d2b13056459422b4ab0cb
Instruction Fuzzy Hash: D7229935608340DFD704DF68E8A0A6ABBF5FB8A315F09896DE5C987361D735E890CB42

Function 0087B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009be95b67db24915dd551ae304c1f3455c5be944fa74fbe82ee4f69e5111e25
Instruction ID: 3a90439b985ce4024a4f83525dfe0f024e1b0648c9abbf86ceaee1e2b1bf911e
Opcode Fuzzy Hash: 009be95b67db24915dd551ae304c1f3455c5be944fa74fbe82ee4f69e5111e25
Instruction Fuzzy Hash: 795294709087888FE735CB24C4847A7BBE3FB91314F14882DC5EA86B8AD779E885C751

Function 008771F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a80aca3a449130dc494be21b7ea3f645be7566f9aecb6aff48650f9172a7135
Instruction ID: d754e950155cae7004132f49720ce73a9bf6f859c7ee7526517257f8d2e7ef47
Opcode Fuzzy Hash: 3a80aca3a449130dc494be21b7ea3f645be7566f9aecb6aff48650f9172a7135
Instruction Fuzzy Hash: FE528F7150C3498BCB15CF28C0906AABBE1FF88318F19CA6DE89D9B355D774D989CB81

Function 00878FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8362e2d36a52dfd86f5d1990aee7593f573c4bdc59e7b15d9824a72901f351
Instruction ID: 9c22117ccfc6a438311cc603f62ae1ece3e907e3805ae778f39aca93c7bc130f
Opcode Fuzzy Hash: 0c8362e2d36a52dfd86f5d1990aee7593f573c4bdc59e7b15d9824a72901f351
Instruction Fuzzy Hash: 1D424475608301DFD718CF28D8507AABBE1FB88315F09896DE4998B3A1D739D985CF82

Function 00877BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae512fe73dec4e86fe97a92599cf0b0f993f94fa7046b66b927276972fc6119
Instruction ID: c8f06bba7f808c22464f139cf85d1e75a06f612ecd7d747d0845cd2dfaa9e62c
Opcode Fuzzy Hash: cae512fe73dec4e86fe97a92599cf0b0f993f94fa7046b66b927276972fc6119
Instruction Fuzzy Hash: 65321370514B158FC378CE29C59452ABBF1FF85710BA08A2ED6AB87B98D736F845CB10

Function 008B89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b5d859b89602d152a4e161cb9070c339bed9e5fd44d7b00c689e3a2977435c
Instruction ID: 5ef263cfa1109afa36618f82f2dca02e043dab4f4a995f25583ddab372302090
Opcode Fuzzy Hash: 91b5d859b89602d152a4e161cb9070c339bed9e5fd44d7b00c689e3a2977435c
Instruction Fuzzy Hash: 71028835608281DFC704DF68E890A1ABBF5FB8A315F09896DE5C987361C736D854CB92

Function 008B8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1debba4e58cafda405326028239f9317bca03e3ddc602d22e1a41e9fec942266
Instruction ID: 86aedae18c364774942ef60779a44d7b775d3731f500cf4c203e470781098a10
Opcode Fuzzy Hash: 1debba4e58cafda405326028239f9317bca03e3ddc602d22e1a41e9fec942266
Instruction Fuzzy Hash: EFF18634608280DFC704EF68E890A1AFBF5FB8A305F09896DE5D987361D736D950CB92

Function 008B8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d35d4e8bc887e615c0be5d6dcde0c435de946e7c012b9251195515936047cd6
Instruction ID: 04b762ef72e20c9c2125755f7cbd13cc3ce4a0b4bf46b038b26e8f1ed6529580
Opcode Fuzzy Hash: 8d35d4e8bc887e615c0be5d6dcde0c435de946e7c012b9251195515936047cd6
Instruction Fuzzy Hash: 91E19931608240CFC704DF28E891A6ABBF5FB8A315F09896CE5D9C7361D736E951CB92

Function 0087A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 234dd89153b099fc3a6452f3390f23a7b3ae7122414658ddc861ffd12a6128de
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 4AF199766087458FC728CF29C88166ABBE6FFD8304F08882DE4D9C7751E639E945CB52

Function 008B8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2670b5e6b0c062959feeea6eed411329d1cc7ef817fda99a4ad901d4fc36b8c
Instruction ID: 297d98c1f507104e68028fd4a9fd21ec40135a9b5089df9e23ba02d7241283d2
Opcode Fuzzy Hash: f2670b5e6b0c062959feeea6eed411329d1cc7ef817fda99a4ad901d4fc36b8c
Instruction Fuzzy Hash: B9D17634608280DFD704EF28D890A2AFBF5FB8A305F09896DE5D987361D736D851CB92

Function 00884487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9477542abf84a8d45ea112ddca1faea1d699aaf452eae4cd3b02cbee27abc2
Instruction ID: 8bdde49c83059c29348063d617e2de42357fa7911d76466c7f0460f9bd148ea8
Opcode Fuzzy Hash: dd9477542abf84a8d45ea112ddca1faea1d699aaf452eae4cd3b02cbee27abc2
Instruction Fuzzy Hash: 86E10FB5601B008FD365DF28E992B97BBE1FF06704F04886CE5AAC7662E735B814CB54

Function 008B6CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d621ed88949d434e2710e798f1f67aba9ff29b5f0a3a0eefca97a9388926ed2
Instruction ID: ea3a39321b4531f4018f5673df213ce7292333e04cf3519042627f0761809b3c
Opcode Fuzzy Hash: 1d621ed88949d434e2710e798f1f67aba9ff29b5f0a3a0eefca97a9388926ed2
Instruction Fuzzy Hash: E4D1DE36618355CFCB10CF28D88096AB7F2FB89314F098A6CE495C73A1D335EA85CB91

Function 008B7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05bc4aebe0a14555af149c71da7a54f4746499c056e8060bb6dbd48aef0a68be
Instruction ID: 553b2997ef48034b542172038b95f5fbbd6a64282502a90cd7c347210ec58b0f
Opcode Fuzzy Hash: 05bc4aebe0a14555af149c71da7a54f4746499c056e8060bb6dbd48aef0a68be
Instruction Fuzzy Hash: 8FB1D372A083504BE724DE68CC55BABBBE5FFC4314F08492DE999D7392E635DC048792

Function 0087AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 60e08ab3489a1b6f99a585518da02944d5bb072fcb99d8af588dd79660100522
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 35C16C72A087418FC360CF68DC96BABB7E1FF85318F08892DD1D9C6242E778A155CB46

Function 00886536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0627b071dfe9341f3e2b7c1edaef44396159ebfc563123d190996462b216375f
Instruction ID: e80e80a190388b8d596d6242cfff54fc9cd984509f44a3d8666e82b88da784d7
Opcode Fuzzy Hash: 0627b071dfe9341f3e2b7c1edaef44396159ebfc563123d190996462b216375f
Instruction Fuzzy Hash: CDB1FEB4600B408BD3219F28D981B27BBF1FF46704F14885CE8AA8BB52E735F815CB65

Function 008B7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ef4fd2fa8e4bb57f43954cf461c7e4ab921fa21503e3f6e62f0cea8dee09cd8
Instruction ID: 708182bb13bf0cb609010cdd94d97a99ef75a6b0322eceedb1ec7d0275deb067
Opcode Fuzzy Hash: 3ef4fd2fa8e4bb57f43954cf461c7e4ab921fa21503e3f6e62f0cea8dee09cd8
Instruction Fuzzy Hash: 99917A7160C301ABEB20DA14D880BAFBBE5FBC5354F544828F995D7352E730E990CBA2

Function 008BA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef258f7a0f5a2ad065cd703225bd327132c5fcef397e161d0f8b0667fb10297e
Instruction ID: 242a19d36466d37ec5020fa5321695cbeb19c9f34c8ae881eeb5fed2cc5e1b78
Opcode Fuzzy Hash: ef258f7a0f5a2ad065cd703225bd327132c5fcef397e161d0f8b0667fb10297e
Instruction Fuzzy Hash: 028179342087059BDB28DF28D890A6EB7F5FF89744F45892CE986CB351E731E850CB92

Function 008A64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d244690b8228c77b6c7607d1a48c77c597bda54254e845fd5aae7e54bceea360
Instruction ID: d34bd1968c33fdb6ffbafd681b174c0ddcffc1ea990a6b058d245ec3af7a28a6
Opcode Fuzzy Hash: d244690b8228c77b6c7607d1a48c77c597bda54254e845fd5aae7e54bceea360
Instruction Fuzzy Hash: AF71D833B29A944BD3149D7C4C41395AA43ABE7338B3DC379E9B4CB7E9E62948154350

Function 008928E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c0ebc5270b9f6a2210abb5b9cfd2bc69d96f67679d46a865295bf3b9871f2e
Instruction ID: 56d9172e7314852a6e0dfb2e84edb27d015f94aecbd49cc073cf01423875317f
Opcode Fuzzy Hash: f7c0ebc5270b9f6a2210abb5b9cfd2bc69d96f67679d46a865295bf3b9871f2e
Instruction Fuzzy Hash: 766175B4418350ABDB10AF58D841A2ABBF0FFA6755F08891CF4C59B361E339D910CBA7

Function 00897C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedd185f3b438790832fe06ea837749712c3966ce88c1d22c32bbce135dcaf7e
Instruction ID: 38e1bc6542a78dc253c81fe648f8b6dabee74fbc434db11e54d8a7be83d1c37e
Opcode Fuzzy Hash: aedd185f3b438790832fe06ea837749712c3966ce88c1d22c32bbce135dcaf7e
Instruction Fuzzy Hash: 2B51BEB16282059BDB20AB24CC82BB773A4FF85768F184958F985CB391F375D901C762

Function 008A1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: a31695aedf0e6e3927033774182549482a3980cead8013bb3ba110fd4a00af12
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 4061CD316093259BEB14CE28C58832FBBE6FBC6350F68C92DE489CBA51D374ED819741

Function 008A82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdea11804e7711b5f5cb94e6468b0e720d2081d514c3e14a2b26122002fdfb64
Instruction ID: d58c8c242dc2ff5dfe48786330bccf3e2b1d265b9f2317563ba213e1782864d1
Opcode Fuzzy Hash: fdea11804e7711b5f5cb94e6468b0e720d2081d514c3e14a2b26122002fdfb64
Instruction Fuzzy Hash: 56614723A1AA90CBE314453C5C453AAAA83BBD7738F3EC36599F1CB7E4DD6948014361

Function 008842FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56f8cba49270fd5bd4f8b5085be99b8a0d7bc8fe9b2cb2052fb4645eef8894e
Instruction ID: 4cbd78800b5fbab8157cbcb40dc7c33212077fb46c8cf41f53de63c539aca924
Opcode Fuzzy Hash: a56f8cba49270fd5bd4f8b5085be99b8a0d7bc8fe9b2cb2052fb4645eef8894e
Instruction Fuzzy Hash: 4B81EEB4810B00AFD360AF38D947757BEF4FB06201F404A1DE4EA96695E730A459CBE3

Function 008AE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 2b8207b3ee97d32ef8f71084d712dfaf7b973b63ec557abf32fb31d943963828
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 8E516BB16087548FE314DF69D49435BBBE1FB89318F044E2DE4E987790E379DA088B92

Function 009AA307 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf1e09789c2623128b04550643336885981f9d0525d574ed4157dabbc142d89
Instruction ID: 26e05653388dbec00fd1483519afaa1baeedc0301a10ae0b03204d0bc455cb12
Opcode Fuzzy Hash: fcf1e09789c2623128b04550643336885981f9d0525d574ed4157dabbc142d89
Instruction Fuzzy Hash: 7351E5F3A186009BF3486D39DC497BABBD6EB94320F26463DEBC5877C4D93958048386

Function 008B7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8776b45af5ddefd7ee83da21096a97d67645efb1c2444ec3402e6e2fd86714a5
Instruction ID: 0dd527fd9930d53ce004ab7dad0082a6bbbf1ac132bc9fa65eab718a60ab059a
Opcode Fuzzy Hash: 8776b45af5ddefd7ee83da21096a97d67645efb1c2444ec3402e6e2fd86714a5
Instruction Fuzzy Hash: D551E43160C7009BCB159E18CC90B6EB7E6FBD5354F288A2CE9E597391D731AC108792

Function 00A04BA0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c72509b2a104129590a01205edca7724a6c4c880e9c7176fabeed2cf166260e
Instruction ID: 454dca580dc55ff74710c54a779685847559612bfa1e466196654ebe42343150
Opcode Fuzzy Hash: 7c72509b2a104129590a01205edca7724a6c4c880e9c7176fabeed2cf166260e
Instruction Fuzzy Hash: 97519EB3F211244BF3444A29CC283623643EBD6314F2F827CCA899B7D5D97E5D0A5384

Function 00875A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b9aed356402d9510f575bb4808dfbe25e54f33ef2ff7b03f0bcaf7e9c71b02
Instruction ID: 737805ab3dca6340a8ade124526cef4a85bff6bd5dc257530ccd291a900a3ec3
Opcode Fuzzy Hash: 24b9aed356402d9510f575bb4808dfbe25e54f33ef2ff7b03f0bcaf7e9c71b02
Instruction Fuzzy Hash: 6151AEB5A047149FC714DF18C89092AB7A1FF85328F19866CE89DCB356DB71EC42CB92

Function 009DAD3E Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee215c83695a9b4d0eff6962a11530950d0f50df2bcf581fad850a8825b10dc
Instruction ID: 049a2051236a014f2fd79c26e7d5c78d39276be2806252e79ac01d509ceb8dad
Opcode Fuzzy Hash: cee215c83695a9b4d0eff6962a11530950d0f50df2bcf581fad850a8825b10dc
Instruction Fuzzy Hash: 234159F3A082009BE3146A2DDC8576BB7DAEFE8320F1A463DD7C4C3750E9764C058282

Function 0089EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8793c4d94734f58b7e245983cddd9909fb81475d99773278b026fba0d4d93ff
Instruction ID: 6adb742887c51d38090baa5742d06b507e8bcabf77ee91b294fa284b300872e4
Opcode Fuzzy Hash: a8793c4d94734f58b7e245983cddd9909fb81475d99773278b026fba0d4d93ff
Instruction Fuzzy Hash: F441B174900315DBDF20DF58DC91BADBBB0FF0A304F584548E985AB3A1EB38A950CB91

Function 00D01000 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4fbe5861862d3e6a3de102f5852bb00af29cb42d76bf16a41f2e57654179ad2
Instruction ID: 58937558cb11275683807fadd49c08ca5f1a85520bf990660b5b6bdcbe74ebe7
Opcode Fuzzy Hash: b4fbe5861862d3e6a3de102f5852bb00af29cb42d76bf16a41f2e57654179ad2
Instruction Fuzzy Hash: 75419CB260C6209FE7057F29EC856BAFBE5EF84320F06092DE6C987740D6354485CB97

Function 008B9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab685b8d4e17c29bd7503b6b7ca2e478dd14a551dfa3ef7ade90f1210417d4b6
Instruction ID: f60b53e3fafb3c51b5e0cd314b7f03f1cbdd726e23c0ce1981550aba86ee374f
Opcode Fuzzy Hash: ab685b8d4e17c29bd7503b6b7ca2e478dd14a551dfa3ef7ade90f1210417d4b6
Instruction Fuzzy Hash: EC417C74208304ABDB14DB19D9A0B6BBBF6FB85714F54882CF6C997351D335E850CBA2

Function 00882030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e224d8820dbe22fe56f41891d3b68696e209dee1f5e86c29894003c2484b7132
Instruction ID: 832e591bec558361894a6424b6d0db815e040a81ea6e478c9c9c383f4d3b52db
Opcode Fuzzy Hash: e224d8820dbe22fe56f41891d3b68696e209dee1f5e86c29894003c2484b7132
Instruction Fuzzy Hash: 9F41E772A083654FD35CDE29849423ABBE2FFC5300F19866EE4D6873D1DAB48945DB81

Function 00881E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5e8aa613c3ae3f9ef2b9506cff54ad3bd9ba56773c8c4aa3dcbf9b55f232c3
Instruction ID: 2a92bad53e6494e0299e44f2202167866c3bfae494cacd7e47e824c4b58e45e7
Opcode Fuzzy Hash: ea5e8aa613c3ae3f9ef2b9506cff54ad3bd9ba56773c8c4aa3dcbf9b55f232c3
Instruction Fuzzy Hash: BB41F17450C3809BD720AB58C888B2EFBF5FB8A344F144D1CF6C497292C776E8158B66

Function 008B8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a0dfcb103884d07ca917c12b4fa3e192af08bfec37a0a8ebd47236dde5e7d6
Instruction ID: 91f34a697ddcaa74de37edfc15d72cadbedd2aad56c7cef54fccbcb9787b0053
Opcode Fuzzy Hash: e7a0dfcb103884d07ca917c12b4fa3e192af08bfec37a0a8ebd47236dde5e7d6
Instruction Fuzzy Hash: 24418C316082548FC714AF68C4A056EFBEAEF99300F198A2ED4D5D73A2DB75DD01CB82

Function 0088D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba29ed21644d27cb79c3d92f94c35ee82782a85d1976ae3a4c251d7f84ef3462
Instruction ID: 74ef0d103a712ca940eafd2462a422e4fd9b246969161076c58490ea7fabca6a
Opcode Fuzzy Hash: ba29ed21644d27cb79c3d92f94c35ee82782a85d1976ae3a4c251d7f84ef3462
Instruction Fuzzy Hash: B8418BB1508391CBD734AF14C881FABB7B0FFA6365F044958E48A8B692E7748940CB57

Function 00D01043 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6cec46596a23e706f61492fb867a84b2d5cd45bfaae9d658cf3e0bb6c230d7
Instruction ID: afefa1a885d620e764e3f246509b8323e717953fa7e44ad8b0966238c4007958
Opcode Fuzzy Hash: 7e6cec46596a23e706f61492fb867a84b2d5cd45bfaae9d658cf3e0bb6c230d7
Instruction Fuzzy Hash: 85318BB260C6209FE7056F29EC8567AFBE5EF84320F06492DE6C8C7344D6354845CB97

Function 008AF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 55f1ccc6789a203f611cf1c765afe4ca3553e643ae7d7522f73330af4c9498cf
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 4321F5329086244BD3259B99C48153AF7E4FB9A704F06862EDAC4E7296E3359C24C7E2

Function 008B67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3014aff9df50a31323a0316cab38126448b704d7b89fae2d9f59ca20ff0b0d95
Instruction ID: 924223cd30b386d95c27f98c6dfd9e17fb8ac2d83f7fce24e6c6619b4a452bb6
Opcode Fuzzy Hash: 3014aff9df50a31323a0316cab38126448b704d7b89fae2d9f59ca20ff0b0d95
Instruction Fuzzy Hash: B93102705183829AE714CF14C490A6BBFF0FF96784F54581DF4C8AB262E338D995CB9A

Function 00895E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ff9e6457ecbe12dbd500a35c740ce47c9b17f7ee6f7d015670695332b1ed3b
Instruction ID: c804c9cf53357893cad02fd6420a29f4e601610a5a39bbf81da82c0a8c7d8a7f
Opcode Fuzzy Hash: 66ff9e6457ecbe12dbd500a35c740ce47c9b17f7ee6f7d015670695332b1ed3b
Instruction Fuzzy Hash: 1821BCB14082008BC711AF28C85192BBBF4FF92765F488908F4D9CB292E735CA00CBA3

Function 008749A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 5d19dfda00dc3cf857675c34333d74c9933261b61b35d87acde5708b7cce6c68
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: F031D6316482109BD7109E18D880A2BF7E1FFC4358F18D92CE8AECB25AE331DC52CB46

Function 008B64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409d66d9820d49e8d61449918df81c7dfc5be99de342437a4a5910172f78fdd8
Instruction ID: 55d887469c3a6c90d749cc5fa60154f76a3ee22db3c774a0c6949f21c60c3213
Opcode Fuzzy Hash: 409d66d9820d49e8d61449918df81c7dfc5be99de342437a4a5910172f78fdd8
Instruction Fuzzy Hash: 43212370608241DBC704EF19D880A2EBBF6FB99745F28881CE4C493361D339A8A5CB66

Function 008AB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4f5d7a6a1b93eeec0e955288d94706b7760e2fe0158d08af0f4a9a4ed99e3ae1
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E811E533A095D80ED7168D3C8440565BFA36AB3234B598399F4B8DB2D3D7228D8A8364

Function 008A0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: 2c9400b4a55df26a988697f604d04292bf01b3c0e6c144530367a5953a7575db
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 7E0152F5A0030147F7209E6495D1B3BB2A8FB46768F18453CD54AD7601EB75EC06DAA2

Function 0089D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f556f93dee3957bc400e9571fb7f86f4983b80a017e96231ffd1df5de60e0aea
Instruction ID: 6e241419305f28d084e088e6c83b98da35225146d3f27bd639b570d6fc41c11d
Opcode Fuzzy Hash: f556f93dee3957bc400e9571fb7f86f4983b80a017e96231ffd1df5de60e0aea
Instruction Fuzzy Hash: 0B11DBB0408380AFD310AF658584A2FFBE5FBA6714F148C0DF6A49B251C379E819CF56

Function 00876EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4843cd991e1461fb8fb88ad39da1d00a818b2de055811ceb9e653b182fd2af4
Instruction ID: c074f86ed3bb3dd635aeb7fd204f99b4ec91639dcc6b6012d0c36ddf9e0df0de
Opcode Fuzzy Hash: d4843cd991e1461fb8fb88ad39da1d00a818b2de055811ceb9e653b182fd2af4
Instruction Fuzzy Hash: 0AF0593F71860A0FA210CDAAE88083BF3D6E7D9354B149538EE44C3205EDB2F80281D0

Function 008AB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0088C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0088B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 07b6c8d11bc51acb00e712cafc71a09655e3f1198f73a9c5f3ded6bd28a4be62
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: BDF0ECB160451457DF229A959CC1F3BBB9CDBCB354F190436E845D7103D2615845C3EA

Function 008A8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7d843029be645ad56da0e7f40791c11925f254dd6551c0f5c9beae7b88e2d5
Instruction ID: 2bcac84801ebfc551743ff76130b46962b7bbb7f2df75b80130f32bb35da21e8
Opcode Fuzzy Hash: bc7d843029be645ad56da0e7f40791c11925f254dd6551c0f5c9beae7b88e2d5
Instruction Fuzzy Hash: 5401E4B04107009FC360EF29C44578BBBE8FB08714F104A1DE8AECB780D770A5488B82

Function 008B1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 1e6785951e6da8089e3e936d5f9c3a9babf2be154cdf4792575d22c0319c927c
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 04D0A731608321469F748E19A4149B7F7F1FAC7B11F89955EF586E7248D230EC41C2AD

Function 00881ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e4e90415dfa0affdcb86e317a2be3a2d063a7adccf2260af25d5c9a1fdf53c
Instruction ID: e199dcc72f63d20ccc096abc76800808031256744a9eaffd8e4abaca02e8fabf
Opcode Fuzzy Hash: c7e4e90415dfa0affdcb86e317a2be3a2d063a7adccf2260af25d5c9a1fdf53c
Instruction Fuzzy Hash: 21C01234A690018B82089F00FCA9832A3B8B706209710703ADA02E3222CA20C4028A0D

Function 008B6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d944bf3d828a320c0ab0d3439d5651984f2fd47e6e003041a7c67ad42e157e
Instruction ID: e9c8f5fbfc1381eaa510bb395e7e07a9de497fe3e8f795e38af96751964cebe3
Opcode Fuzzy Hash: 12d944bf3d828a320c0ab0d3439d5651984f2fd47e6e003041a7c67ad42e157e
Instruction Fuzzy Hash: 00C09B3465C00487D14CCF08D951D75F376FB97728724F01DC80663395C534D913951C

Function 00881A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119fa31c07cd261ecacb80ad5d26837b05831e27cb5428dd0528f76e6345852e
Instruction ID: f5ac3d5123929856dc8781ddcfe492fb35bd7aff691bef5cc54c51919858d358
Opcode Fuzzy Hash: 119fa31c07cd261ecacb80ad5d26837b05831e27cb5428dd0528f76e6345852e
Instruction Fuzzy Hash: 42C09B34AA9045CBC648DF85ECE5432A3FCB70720C710353A9703F7263C960D405860D

Function 008B5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1792512649.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.1792488627.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000A50000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792567177.0000000000B6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1792903436.0000000000B6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793045465.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1793076819.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739379103c685f3737474284406bb18d0de064253ca647e55b8f52ff7f52ee03
Instruction ID: ad4bbbceee243a6914d524c95aeac0a3a1d028aad578dd323d9c8d5a5f29b4bf
Opcode Fuzzy Hash: 739379103c685f3737474284406bb18d0de064253ca647e55b8f52ff7f52ee03
Instruction Fuzzy Hash: FFC09224B680008BE24CCF18DD51D35F2BAAB8BA28B14F02DC806A3256D134E913860C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 008B50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 0087FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0087D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 008B5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 008B5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 008B695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0088049B Relevance: .3, Instructions: 264
COMMON

Function 008B3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 008B3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON