Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1527894
MD5:	7c14dedcb000e7cd805f04fef8af5f0a
SHA1:	b956aa0d23c5c659827c8a1b69ff41bdcbbe6681
SHA256:	0bf01000fac3df8f9d90ccc7f8c6bc2e62b0df0a78cf72c5af2ef410a04b098c
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7C14DEDCB000E7CD805F04FEF8AF5F0A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["mobbipenju.stor", "clearancek.site", "spirittunek.stor", "eaglepawnoy.stor", "dissapoiznw.stor", "bathdoomgaz.stor", "studennotediw.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.068509+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.10	59596	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.020778+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.10	54547	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.050480+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.10	57116	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.040395+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.10	55212	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.093825+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.10	63887	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.030855+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.10	58622	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.078177+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.10	56892	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T11:29:36.059237+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.10	61144	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7312.1.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["mobbipenju.stor", "clearancek.site", "spirittunek.stor", "eaglepawnoy.stor", "dissapoiznw.stor", "bathdoomgaz.stor", "studennotediw.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007F50FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007BD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_007F63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007F5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	1_2_007F695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_007F99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_007BFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_007F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	1_2_007EF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_007C6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	1_2_007B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_007F6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_007DD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_007D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	1_2_007D2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_007C42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	1_2_007BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_007E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_007E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_007E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_007E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_007E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	1_2_007E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_007DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007CD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_007F1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	1_2_007CB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_007DE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_007F64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_007C6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	1_2_007F7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007D9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	1_2_007B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_007DE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_007EB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	1_2_007F7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_007F67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_007DD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_007D28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	1_2_007CD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	1_2_007F3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	1_2_007B49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	1_2_007B5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_007F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_007C1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_007C1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	1_2_007CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	1_2_007CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_007F9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_007C1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_007C3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_007E0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	1_2_007DEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	1_2_007EFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	1_2_007D7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	1_2_007F9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	1_2_007DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	1_2_007DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_007DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_007DAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_007DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	1_2_007DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007F8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007D5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007D7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	1_2_007DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	1_2_007C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_007C0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	1_2_007C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	1_2_007BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_007B6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_007C1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007EFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_007D9F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	1_2_007CFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_007F5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_007B8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	1_2_007F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_007F7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_007C6F91

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.10:58622 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.10:61144 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.10:57116 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.10:56892 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.10:54547 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.10:59596 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.10:55212 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.10:63887 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: licendfilteo.site

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=eaedea017b443af5895aa815; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 09:29:37 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000001.00000002.1309825390.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000002.1309825390.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/-
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000001.00000002.1309670351.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000001.00000003.1288801249.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/z
Source: file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000001.00000002.1309825390.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49704 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C0228	1_2_007C0228
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E	1_2_0097B09E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F4040	1_2_007F4040
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C2030	1_2_007C2030
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B1000	1_2_007B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007FA0D0	1_2_007FA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B5160	1_2_007B5160
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B71F0	1_2_007B71F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007BE1A0	1_2_007BE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B12F7	1_2_007B12F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E82D0	1_2_007E82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E12D0	1_2_007E12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A1B264	1_2_00A1B264
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00962267	1_2_00962267
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_009683D6	1_2_009683D6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_009793F0	1_2_009793F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007BA300	1_2_007BA300
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00974318	1_2_00974318
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E23E0	1_2_007E23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B13A3	1_2_007B13A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007BB3A0	1_2_007BB3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007DC470	1_2_007DC470
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0082A494	1_2_0082A494
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5D4C0	1_2_00A5D4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E64F0	1_2_007E64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C049B	1_2_007C049B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C4487	1_2_007C4487
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0096D5F2	1_2_0096D5F2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007CC5F0	1_2_007CC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B35B0	1_2_007B35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B8590	1_2_007B8590
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A1068B	1_2_00A1068B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F8652	1_2_007F8652
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B164F	1_2_007B164F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007EF620	1_2_007EF620
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F86F0	1_2_007F86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_008737E4	1_2_008737E4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007E1860	1_2_007E1860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007BA850	1_2_007BA850
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_009778E4	1_2_009778E4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007EB8C0	1_2_007EB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00972851	1_2_00972851
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007EE8A0	1_2_007EE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0090986C	1_2_0090986C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0096F9CC	1_2_0096F9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F89A0	1_2_007F89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D098B	1_2_007D098B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F4A40	1_2_007F4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F7AB0	1_2_007F7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F8A80	1_2_007F8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007CDB6F	1_2_007CDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B7BF0	1_2_007B7BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00970CEF	1_2_00970CEF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F8C02	1_2_007F8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007DCCD0	1_2_007DCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F6CBF	1_2_007F6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A93C49	1_2_00A93C49
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007D8D62	1_2_007D8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007DDD29	1_2_007DDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007DFD10	1_2_007DFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0096BD10	1_2_0096BD10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00975D4E	1_2_00975D4E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F8E70	1_2_007F8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007DAE57	1_2_007DAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0096FEDA	1_2_0096FEDA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C4E2A	1_2_007C4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007C6EBF	1_2_007C6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007BBEB0	1_2_007BBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00969FB1	1_2_00969FB1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007BAF10	1_2_007BAF10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007B8FD0	1_2_007B8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_007F7FC0	1_2_007F7FC0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007CD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007BCAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9993876340759076
Source: file.exe	Static PE information: Section: tgcpoubk ZLIB complexity 0.9940446966519219

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007E8220 CoCreateInstance,

1_2_007E8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 31%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1848320 > 1048576

Source: file.exe

Static PE information: Raw size of tgcpoubk is bigger than: 0x100000 < 0x199c00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.7b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tgcpoubk:EW;tlfmchnb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tgcpoubk:EW;tlfmchnb:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d2556 should be: 0x1cead5

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: tgcpoubk
Source: file.exe	Static PE information: section name: tlfmchnb
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 7F870677h; mov dword ptr [esp], ebx	1_2_0097B172
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push ebx; mov dword ptr [esp], 7CB7699Bh	1_2_0097B179
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push edx; mov dword ptr [esp], 7D2CD700h	1_2_0097B21F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 2E6C7EB6h; mov dword ptr [esp], esi	1_2_0097B237
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 760A5319h; mov dword ptr [esp], ebx	1_2_0097B25E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push edx; mov dword ptr [esp], edi	1_2_0097B2AD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 7EBD03EBh; mov dword ptr [esp], ebp	1_2_0097B2E7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push eax; mov dword ptr [esp], edx	1_2_0097B34F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push ebx; mov dword ptr [esp], edi	1_2_0097B41B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 12AFFAA4h; mov dword ptr [esp], edi	1_2_0097B47D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 4D27A3B6h; mov dword ptr [esp], esi	1_2_0097B498
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push eax; mov dword ptr [esp], esi	1_2_0097B4CC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 1D720915h; mov dword ptr [esp], esi	1_2_0097B4E4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 50628817h; mov dword ptr [esp], ecx	1_2_0097B592
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push eax; mov dword ptr [esp], 5F919018h	1_2_0097B682
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push edi; mov dword ptr [esp], 10C0FE2Ah	1_2_0097B68D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push esi; mov dword ptr [esp], 6F9F25C4h	1_2_0097B699
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push ebx; mov dword ptr [esp], 7EFF9836h	1_2_0097B6C1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 42587ACEh; mov dword ptr [esp], edx	1_2_0097B6D6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push eax; mov dword ptr [esp], esi	1_2_0097B6F9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push ecx; mov dword ptr [esp], eax	1_2_0097B736
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push ecx; mov dword ptr [esp], 3FF37C61h	1_2_0097B80D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push eax; mov dword ptr [esp], edi	1_2_0097B879
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 4A3C7D21h; mov dword ptr [esp], ebx	1_2_0097B8AE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push ebx; mov dword ptr [esp], 37F77C48h	1_2_0097B8D9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 2983C700h; mov dword ptr [esp], ecx	1_2_0097B991
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push esi; mov dword ptr [esp], edx	1_2_0097B9EC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push esi; mov dword ptr [esp], 5A753F19h	1_2_0097BA17
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 55427E1Ah; mov dword ptr [esp], edi	1_2_0097BA3B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push 4A58A408h; mov dword ptr [esp], edx	1_2_0097BAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0097B09E push edi; mov dword ptr [esp], 7E5B1F3Bh	1_2_0097BB5E

Source: file.exe	Static PE information: section name: entropy: 7.97321298613842
Source: file.exe	Static PE information: section name: tgcpoubk entropy: 7.952506816455278

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81375C second address: 813761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 813761 second address: 813767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96D0E7 second address: 96D112 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F07A8CFD416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F07A8CFD41Dh 0x00000010 jng 00007F07A8CFD416h 0x00000016 jmp 00007F07A8CFD41Bh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96D112 second address: 96D117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96D117 second address: 96D126 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jne 00007F07A8CFD416h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96D126 second address: 96D12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980EA8 second address: 980EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980FEC second address: 980FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 981153 second address: 981157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 981157 second address: 98118C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F07A9060E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d js 00007F07A9060E16h 0x00000013 jl 00007F07A9060E16h 0x00000019 jmp 00007F07A9060E1Fh 0x0000001e popad 0x0000001f push edi 0x00000020 pushad 0x00000021 popad 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 jl 00007F07A9060E16h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98118C second address: 981190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9812C0 second address: 9812C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9812C8 second address: 9812D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9812D0 second address: 9812EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007F07A9060E16h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 jl 00007F07A9060E24h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9812EA second address: 9812EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984CFA second address: 984D00 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984D00 second address: 984D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07A8CFD426h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984D1A second address: 81375C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 22BB87C0h 0x00000012 xor ecx, dword ptr [ebp+122D2980h] 0x00000018 push dword ptr [ebp+122D01B9h] 0x0000001e or edi, dword ptr [ebp+122D2E38h] 0x00000024 call dword ptr [ebp+122D18B5h] 0x0000002a pushad 0x0000002b pushad 0x0000002c clc 0x0000002d pushad 0x0000002e jmp 00007F07A9060E23h 0x00000033 movsx ebx, cx 0x00000036 popad 0x00000037 popad 0x00000038 jnc 00007F07A9060E1Ch 0x0000003e xor eax, eax 0x00000040 cmc 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 cld 0x00000046 mov dword ptr [ebp+122D2A58h], eax 0x0000004c sub dword ptr [ebp+122D240Ah], edi 0x00000052 mov esi, 0000003Ch 0x00000057 jmp 00007F07A9060E23h 0x0000005c xor dword ptr [ebp+122D240Ah], eax 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 mov dword ptr [ebp+122D1874h], edi 0x0000006c lodsw 0x0000006e jnl 00007F07A9060E20h 0x00000074 mov dword ptr [ebp+122D1874h], eax 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e je 00007F07A9060E17h 0x00000084 clc 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 or dword ptr [ebp+122D2F2Eh], edx 0x0000008f push eax 0x00000090 push eax 0x00000091 push edx 0x00000092 pushad 0x00000093 jmp 00007F07A9060E29h 0x00000098 jl 00007F07A9060E16h 0x0000009e popad 0x0000009f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984D65 second address: 984E0F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a jne 00007F07A8CFD41Ch 0x00000010 pop ebx 0x00000011 nop 0x00000012 and ch, FFFFFFB0h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F07A8CFD418h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov si, 6A22h 0x00000035 call 00007F07A8CFD419h 0x0000003a push edi 0x0000003b jmp 00007F07A8CFD41Dh 0x00000040 pop edi 0x00000041 push eax 0x00000042 jnl 00007F07A8CFD437h 0x00000048 mov eax, dword ptr [esp+04h] 0x0000004c jmp 00007F07A8CFD429h 0x00000051 mov eax, dword ptr [eax] 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984E0F second address: 984E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984E13 second address: 984E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F07A8CFD416h 0x0000000d jmp 00007F07A8CFD423h 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F07A8CFD424h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984F55 second address: 984F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984F59 second address: 984F5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984F5D second address: 984FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007F07A9060E18h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F07A9060E28h 0x00000017 popad 0x00000018 popad 0x00000019 nop 0x0000001a or ecx, dword ptr [ebp+122D2978h] 0x00000020 push 00000000h 0x00000022 push 8112FA53h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007F07A9060E25h 0x0000002f push ebx 0x00000030 pop ebx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984FB4 second address: 984FBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F07A8CFD416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 985076 second address: 98507B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98507B second address: 9850B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 71D2653Bh 0x0000000e mov si, ax 0x00000011 jmp 00007F07A8CFD41Dh 0x00000016 lea ebx, dword ptr [ebp+12444C43h] 0x0000001c movzx edx, ax 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F07A8CFD41Dh 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9850B7 second address: 9850BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9850BB second address: 9850C5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F07A8CFD416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9850F7 second address: 985117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ecx, dword ptr [ebp+122D1AEFh] 0x00000011 push 00000000h 0x00000013 mov dl, 35h 0x00000015 push B261DB70h 0x0000001a pushad 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 985117 second address: 9851C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F07A8CFD418h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e add dword ptr [esp], 4D9E2510h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F07A8CFD418h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D240Ah] 0x00000035 push 00000003h 0x00000037 push 00000000h 0x00000039 mov esi, dword ptr [ebp+122D27C4h] 0x0000003f push 00000003h 0x00000041 mov edi, dword ptr [ebp+122D283Ch] 0x00000047 push 7B1279AEh 0x0000004c jmp 00007F07A8CFD428h 0x00000051 add dword ptr [esp], 44ED8652h 0x00000058 push 00000000h 0x0000005a push ebx 0x0000005b call 00007F07A8CFD418h 0x00000060 pop ebx 0x00000061 mov dword ptr [esp+04h], ebx 0x00000065 add dword ptr [esp+04h], 00000015h 0x0000006d inc ebx 0x0000006e push ebx 0x0000006f ret 0x00000070 pop ebx 0x00000071 ret 0x00000072 add ecx, dword ptr [ebp+122D2864h] 0x00000078 lea ebx, dword ptr [ebp+12444C4Eh] 0x0000007e mov edx, dword ptr [ebp+122D2A84h] 0x00000084 xchg eax, ebx 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9851C1 second address: 9851C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A518C second address: 9A5191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5191 second address: 9A51B5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F07A9060E2Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EC13 second address: 96EC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A8CFD428h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A309E second address: 9A30A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A3216 second address: 9A324B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD429h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F07A8CFD425h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A3527 second address: 9A352D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A42ED second address: 9A42FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A8CFD41Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A48D8 second address: 9A48F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E1Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F07A9060E1Ch 0x00000011 jp 00007F07A9060E16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A4A50 second address: 9A4A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07A8CFD425h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A4FC3 second address: 9A4FE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F07A9060E21h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F07A9060E20h 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7F79 second address: 9A7F92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD420h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA08C second address: 9AA090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA090 second address: 9AA0A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD41Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8DF4 second address: 9A8DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A958C second address: 9A95AF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F07A8CFD41Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jng 00007F07A8CFD416h 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0053 second address: 9B006D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E1Dh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B006D second address: 9B007A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 je 00007F07A8CFD416h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0766 second address: 9B076C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1195 second address: 9B119B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1679 second address: 9B1680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B187F second address: 9B1884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1D51 second address: 9B1D5C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1DFF second address: 9B1E25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD41Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F07A8CFD420h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1E25 second address: 9B1E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1EB9 second address: 9B1EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1F8B second address: 9B1F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1F8F second address: 9B1FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F07A8CFD41Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1FA9 second address: 9B1FAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2177 second address: 9B2188 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F07A8CFD416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B237F second address: 9B23E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007F07A9060E24h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F07A9060E18h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 jnp 00007F07A9060E1Ch 0x0000002e xor edi, dword ptr [ebp+122D19B6h] 0x00000034 jmp 00007F07A9060E1Eh 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b jno 00007F07A9060E1Ch 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007F07A9060E16h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B291B second address: 9B298F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F07A8CFD429h 0x0000000a popad 0x0000000b nop 0x0000000c mov esi, dword ptr [ebp+122D27E8h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F07A8CFD418h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e or esi, dword ptr [ebp+122D2770h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F07A8CFD418h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000014h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 push eax 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 js 00007F07A8CFD416h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B30E2 second address: 9B3120 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F07A9060E27h 0x0000000c jc 00007F07A9060E16h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F07A9060E24h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3120 second address: 9B3124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B42E8 second address: 9B42ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4BB3 second address: 9B4BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4BB7 second address: 9B4BC1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B5836 second address: 9B58AD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F07A8CFD428h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F07A8CFD418h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F07A8CFD418h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov di, D59Eh 0x00000045 push 00000000h 0x00000047 and edi, dword ptr [ebp+122D2679h] 0x0000004d push eax 0x0000004e push esi 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B58AD second address: 9B58B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6396 second address: 9B639C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B60EB second address: 9B60FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07A9060E1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6B1F second address: 9B6B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6B23 second address: 9B6B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B77B6 second address: 9B77CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007F07A8CFD422h 0x0000000d jo 00007F07A8CFD41Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6B29 second address: 9B6B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC76F second address: 9BC775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC775 second address: 9BC78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F07A9060E1Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BDD9F second address: 9BDDA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCF76 second address: 9BCF7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BDDA5 second address: 9BDDBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07A8CFD423h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCF7C second address: 9BCF87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F07A9060E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCF87 second address: 9BCF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 jns 00007F07A8CFD41Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BD055 second address: 9BD059 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFCF1 second address: 9BFCF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BFCF5 second address: 9BFCF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C1BFF second address: 9C1C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C1C03 second address: 9C1C07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C401C second address: 9C4024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C4024 second address: 9C4028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C4246 second address: 9C4315 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F07A8CFD418h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F07A8CFD420h 0x00000010 nop 0x00000011 add edi, dword ptr [ebp+122D2818h] 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F07A8CFD418h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 jno 00007F07A8CFD42Fh 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 sub dword ptr [ebp+122D3569h], eax 0x0000004b call 00007F07A8CFD41Dh 0x00000050 sbb bx, 69A1h 0x00000055 pop edi 0x00000056 mov eax, dword ptr [ebp+122D1571h] 0x0000005c mov dword ptr [ebp+1245DE18h], edi 0x00000062 push FFFFFFFFh 0x00000064 push 00000000h 0x00000066 push ecx 0x00000067 call 00007F07A8CFD418h 0x0000006c pop ecx 0x0000006d mov dword ptr [esp+04h], ecx 0x00000071 add dword ptr [esp+04h], 0000001Ch 0x00000079 inc ecx 0x0000007a push ecx 0x0000007b ret 0x0000007c pop ecx 0x0000007d ret 0x0000007e or dword ptr [ebp+122D2685h], edx 0x00000084 nop 0x00000085 push eax 0x00000086 push edx 0x00000087 push ecx 0x00000088 jg 00007F07A8CFD416h 0x0000008e pop ecx 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C6045 second address: 9C604D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C604D second address: 9C60C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A8CFD420h 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F07A8CFD418h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov ebx, 14DA9489h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F07A8CFD418h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov bx, 607Ah 0x0000004b push 00000000h 0x0000004d sbb di, 3324h 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F07A8CFD421h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C704C second address: 9C7051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7051 second address: 9C7066 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F07A8CFD41Ch 0x00000008 jo 00007F07A8CFD416h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7FDF second address: 9C803F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F07A9060E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F07A9060E18h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 sub ebx, dword ptr [ebp+122D29C8h] 0x0000002e push 00000000h 0x00000030 jns 00007F07A9060E1Ch 0x00000036 jmp 00007F07A9060E1Fh 0x0000003b push 00000000h 0x0000003d mov ebx, dword ptr [ebp+122D18D3h] 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C803F second address: 9C8043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8043 second address: 9C8049 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8FFE second address: 9C9083 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F07A8CFD416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F07A8CFD418h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov bh, ah 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F07A8CFD418h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 jmp 00007F07A8CFD426h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jmp 00007F07A8CFD424h 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8278 second address: 9C827E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C827E second address: 9C8282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8282 second address: 9C8295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007F07A9060E2Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C91D7 second address: 9C91DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C91DB second address: 9C91DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C91DF second address: 9C91E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C91E9 second address: 9C91ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C91ED second address: 9C9282 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F07A8CFD418h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jne 00007F07A8CFD41Ch 0x0000002a mov ebx, dword ptr [ebp+122D1926h] 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e jmp 00007F07A8CFD41Bh 0x00000043 mov eax, dword ptr [ebp+122D0BCDh] 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007F07A8CFD418h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 0000001Ch 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 mov ebx, dword ptr [ebp+122D1B61h] 0x00000069 sub dword ptr [ebp+122D3648h], ebx 0x0000006f push FFFFFFFFh 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C9282 second address: 9C9295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E1Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB1B8 second address: 9CB1C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD41Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB1C9 second address: 9CB1CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA30F second address: 9CA313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA313 second address: 9CA3C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jnp 00007F07A9060E2Ah 0x0000000e nop 0x0000000f adc ebx, 649D5301h 0x00000015 mov dword ptr [ebp+122D3559h], edx 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov dword ptr [ebp+122D3508h], eax 0x0000002f mov eax, dword ptr [ebp+122D1321h] 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F07A9060E18h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f call 00007F07A9060E27h 0x00000054 mov ebx, dword ptr [ebp+122D22D1h] 0x0000005a pop ebx 0x0000005b push FFFFFFFFh 0x0000005d push 00000000h 0x0000005f push ebx 0x00000060 call 00007F07A9060E18h 0x00000065 pop ebx 0x00000066 mov dword ptr [esp+04h], ebx 0x0000006a add dword ptr [esp+04h], 0000001Ah 0x00000072 inc ebx 0x00000073 push ebx 0x00000074 ret 0x00000075 pop ebx 0x00000076 ret 0x00000077 push eax 0x00000078 push eax 0x00000079 push eax 0x0000007a push edx 0x0000007b pushad 0x0000007c popad 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CC329 second address: 9CC356 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F07A8CFD416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F07A8CFD428h 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007F07A8CFD416h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD2B2 second address: 9CD2C4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F07A9060E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F07A9060E1Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97AB98 second address: 97AB9E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D407A second address: 9D4080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4080 second address: 9D4084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4084 second address: 9D40A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D41D6 second address: 9D41DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D41DB second address: 9D41E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D41E0 second address: 9D4209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jno 00007F07A8CFD416h 0x0000000c jmp 00007F07A8CFD429h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D44A5 second address: 9D44FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 jmp 00007F07A9060E1Dh 0x0000000e popad 0x0000000f pushad 0x00000010 jg 00007F07A9060E2Ah 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F07A9060E22h 0x0000001d jp 00007F07A9060E2Fh 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9797 second address: 9D979C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D979C second address: 9D97B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F07A9060E16h 0x00000009 jp 00007F07A9060E16h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007F07A9060E16h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D98B2 second address: 9D98B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D98B8 second address: 9D9907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F07A9060E1Ch 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F07A9060E27h 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a js 00007F07A9060E28h 0x00000020 jmp 00007F07A9060E22h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9907 second address: 9D990B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D990B second address: 9D992B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F07A9060E1Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CD3E1 second address: 9CD3E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9A17 second address: 9D9A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9A1B second address: 9D9A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F07A8CFD416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9A25 second address: 9D9A52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F07A9060E22h 0x00000012 je 00007F07A9060E1Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9A52 second address: 9D9A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 pushad 0x00000009 jmp 00007F07A8CFD428h 0x0000000e js 00007F07A8CFD41Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9A7B second address: 9D9A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jc 00007F07A9060E16h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9A8C second address: 9D9A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 967EE0 second address: 967F04 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F07A9060E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jg 00007F07A9060E16h 0x00000011 pop edx 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F07A9060E1Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 967F04 second address: 967F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F07A8CFD426h 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEB8B second address: 9DEB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEB91 second address: 9DEBA1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F07A8CFD41Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEBA1 second address: 9DEBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEBA7 second address: 9DEBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEFDA second address: 9DEFDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF110 second address: 9DF116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF116 second address: 9DF13D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F07A9060E24h 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF13D second address: 9DF158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F07A8CFD41Ah 0x0000000d popad 0x0000000e jo 00007F07A8CFD418h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF322 second address: 9DF346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jp 00007F07A9060E1Ch 0x0000000d popad 0x0000000e push ecx 0x0000000f je 00007F07A9060E1Ch 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3AB7 second address: 9E3ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3ABB second address: 9E3AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F07A9060E16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3C25 second address: 9E3C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A8CFD425h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3C3E second address: 9E3C52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3C52 second address: 9E3C5C instructions: 0x00000000 rdtsc 0x00000002 js 00007F07A8CFD41Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E403E second address: 9E404C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E404C second address: 9E4056 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07A8CFD416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4056 second address: 9E4060 instructions: 0x00000000 rdtsc 0x00000002 je 00007F07A9060E1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4060 second address: 9E4076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F07A8CFD41Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E4076 second address: 9E407A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E41C6 second address: 9E41CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E41CD second address: 9E41DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007F07A9060E16h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E41DD second address: 9E41E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E41E3 second address: 9E41E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E433E second address: 9E436A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F07A8CFD423h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F07A8CFD421h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E436A second address: 9E4370 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E44B9 second address: 9E44E3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07A8CFD416h 0x00000008 jmp 00007F07A8CFD427h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jl 00007F07A8CFD416h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E44E3 second address: 9E450C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E29h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F07A9060E18h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E479A second address: 9E479E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97233B second address: 97235A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E25h 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F07A9060E16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97235A second address: 97238B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F07A8CFD41Eh 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F07A8CFD424h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97238B second address: 97238F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA9B5 second address: 9EA9D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F07A8CFD420h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA9D2 second address: 9EA9D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EAEF3 second address: 9EAF05 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F07A8CFD41Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EAF05 second address: 9EAF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F07A9060E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA6CD second address: 9EA6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA6D8 second address: 9EA6E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F07A9060E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF31F second address: 9EF334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF334 second address: 9EF379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E27h 0x00000009 jmp 00007F07A9060E29h 0x0000000e popad 0x0000000f pushad 0x00000010 jc 00007F07A9060E16h 0x00000016 pushad 0x00000017 popad 0x00000018 js 00007F07A9060E16h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF379 second address: 9EF385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F07A8CFD416h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF385 second address: 9EF389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F258A second address: 9F2590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F2590 second address: 9F259D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F07A9060E16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F6BDB second address: 9F6BE1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F5A18 second address: 9F5A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jg 00007F07A9060E39h 0x0000000d jmp 00007F07A9060E23h 0x00000012 jmp 00007F07A9060E20h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b jmp 00007F07A9060E29h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8C59 second address: 9B8C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B904B second address: 9B9052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9052 second address: 9B9057 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9057 second address: 9B908F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E27h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jc 00007F07A9060E2Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F07A9060E21h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B908F second address: 81375C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D18D3h], edi 0x0000000d push dword ptr [ebp+122D01B9h] 0x00000013 call dword ptr [ebp+122D18B5h] 0x00000019 pushad 0x0000001a pushad 0x0000001b clc 0x0000001c pushad 0x0000001d jmp 00007F07A8CFD423h 0x00000022 movsx ebx, cx 0x00000025 popad 0x00000026 popad 0x00000027 jnc 00007F07A8CFD41Ch 0x0000002d xor eax, eax 0x0000002f cmc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 cld 0x00000035 mov dword ptr [ebp+122D2A58h], eax 0x0000003b sub dword ptr [ebp+122D240Ah], edi 0x00000041 mov esi, 0000003Ch 0x00000046 jmp 00007F07A8CFD423h 0x0000004b xor dword ptr [ebp+122D240Ah], eax 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 mov dword ptr [ebp+122D1874h], edi 0x0000005b lodsw 0x0000005d jnl 00007F07A8CFD420h 0x00000063 mov dword ptr [ebp+122D1874h], eax 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d je 00007F07A8CFD417h 0x00000073 clc 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 or dword ptr [ebp+122D2F2Eh], edx 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 pushad 0x00000082 jmp 00007F07A8CFD429h 0x00000087 jl 00007F07A8CFD416h 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B911E second address: 9B9156 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F07A9060E1Ah 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F07A9060E22h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9156 second address: 9B916F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD41Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B916F second address: 9B9173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9173 second address: 9B9177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9177 second address: 9B91AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F07A9060E18h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007F07A9060E1Dh 0x00000018 pop eax 0x00000019 push esi 0x0000001a or dword ptr [ebp+122D175Fh], ecx 0x00000020 pop edi 0x00000021 call 00007F07A9060E19h 0x00000026 push eax 0x00000027 push edx 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b pop edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B91AF second address: 9B91E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F07A8CFD41Fh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F07A8CFD429h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B91E3 second address: 9B91FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F07A9060E1Bh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B91FE second address: 9B9203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B93CE second address: 9B93FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jl 00007F07A9060E1Ch 0x00000010 jng 00007F07A9060E16h 0x00000016 jo 00007F07A9060E18h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 mov dword ptr [ebp+1246BB48h], edi 0x00000026 nop 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a jng 00007F07A9060E16h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B95C6 second address: 9B95CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9AC6 second address: 9B9ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9C81 second address: 9B9C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F07A8CFD418h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9C94 second address: 9B9C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9C9A second address: 9B9C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9F05 second address: 9B9F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9F09 second address: 9B9F46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, ecx 0x0000000c lea eax, dword ptr [ebp+12478765h] 0x00000012 movsx ecx, dx 0x00000015 push esi 0x00000016 mov di, 57FCh 0x0000001a pop ecx 0x0000001b push eax 0x0000001c jl 00007F07A8CFD437h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F07A8CFD429h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F5D2A second address: 9F5D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F07A9060E29h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F6016 second address: 9F601A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F645E second address: 9F6464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F6464 second address: 9F6468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F6468 second address: 9F648E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F07A9060E28h 0x0000000d jno 00007F07A9060E16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F648E second address: 9F649A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F649A second address: 9F649F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F65ED second address: 9F65F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9BE8 second address: 9F9BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9BEC second address: 9F9C0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD427h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9C0A second address: 9F9C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9C10 second address: 9F9C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F97EA second address: 9F97F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F97F3 second address: 9F97F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9952 second address: 9F9958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F9958 second address: 9F9969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A8CFD41Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC9A7 second address: 9FC9AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC9AD second address: 9FC9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC583 second address: 9FC589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FC6D0 second address: 9FC6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0151B second address: A01523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01523 second address: A01529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00968 second address: A00978 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F07A9060E16h 0x00000008 jnc 00007F07A9060E16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00C88 second address: A00C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00C8C second address: A00C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00C92 second address: A00C97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00DD8 second address: A00DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00F5C second address: A00F8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD426h 0x00000007 pushad 0x00000008 jmp 00007F07A8CFD428h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00F8F second address: A00FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F07A9060E16h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f jng 00007F07A9060E16h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0110B second address: A01138 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD423h 0x00000007 jmp 00007F07A8CFD422h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A01138 second address: A01144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A044C9 second address: A044CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A044CE second address: A044D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A044D3 second address: A044E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jc 00007F07A8CFD416h 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03CA2 second address: A03CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F07A9060E16h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03CAD second address: A03CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F07A8CFD416h 0x0000000a jns 00007F07A8CFD416h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03CBD second address: A03CCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03CCC second address: A03CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03F74 second address: A03F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03F78 second address: A03F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03F80 second address: A03F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F07A9060E16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09415 second address: A0941A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0941A second address: A0941F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0941F second address: A09427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0986E second address: A09872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A099B2 second address: A099BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A099BA second address: A099E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F07A9060E16h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F07A9060E24h 0x00000012 jnl 00007F07A9060E16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09B73 second address: A09B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A8CFD41Ah 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F07A8CFD420h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09B9D second address: A09BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09BA1 second address: A09BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09BA7 second address: A09BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09BAD second address: A09BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F07A8CFD416h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A09BB9 second address: A09BC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F07A9060E16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96B5AA second address: 96B5B0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FEB0 second address: A0FEB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FEB4 second address: A0FEB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FEB8 second address: A0FEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FFFD second address: A10023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F07A8CFD427h 0x0000000b jmp 00007F07A8CFD41Fh 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10023 second address: A10029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10029 second address: A1002D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1002D second address: A10082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E28h 0x00000007 je 00007F07A9060E16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F07A9060E29h 0x00000016 jmp 00007F07A9060E28h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10082 second address: A10086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A101F5 second address: A101F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A101F9 second address: A101FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A101FF second address: A10246 instructions: 0x00000000 rdtsc 0x00000002 je 00007F07A9060E1Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F07A9060E27h 0x00000011 jmp 00007F07A9060E1Dh 0x00000016 pushad 0x00000017 jmp 00007F07A9060E1Bh 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A107C2 second address: A107C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11650 second address: A11654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11654 second address: A1165E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F07A8CFD416h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11931 second address: A11936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11C1A second address: A11C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A8CFD427h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16715 second address: A16719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15887 second address: A158A9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F07A8CFD416h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F07A8CFD416h 0x00000014 jmp 00007F07A8CFD41Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A158A9 second address: A158BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F07A9060E1Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15BE4 second address: A15BF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15BF1 second address: A15BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15D27 second address: A15D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F07A8CFD416h 0x0000000c jmp 00007F07A8CFD426h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F07A8CFD424h 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A15D62 second address: A15D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973E76 second address: 973E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973E7F second address: 973E91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F07A9060E1Bh 0x00000008 pop edi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22D90 second address: A22D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F07A8CFD416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22D9A second address: A22DA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2319B second address: A2319F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23302 second address: A2330B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2330B second address: A2330F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2330F second address: A23337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F07A9060E23h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007F07A9060E16h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23919 second address: A23921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23921 second address: A23927 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23927 second address: A2392C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2392C second address: A23948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E20h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23C39 second address: A23C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F07A8CFD416h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F07A8CFD416h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23C4E second address: A23C58 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F07A9060E16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23C58 second address: A23C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23C5E second address: A23C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23C66 second address: A23C9F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F07A8CFD416h 0x00000008 jmp 00007F07A8CFD422h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F07A8CFD429h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B0D4 second address: A2B0D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37F41 second address: A37F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C3DA second address: A3C3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C3DE second address: A3C3E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C3E2 second address: A3C3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C3E8 second address: A3C3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C3F2 second address: A3C3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C3F6 second address: A3C42A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD426h 0x00000007 jne 00007F07A8CFD416h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F07A8CFD41Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C42A second address: A3C472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F07A9060E22h 0x0000000c pushad 0x0000000d jmp 00007F07A9060E27h 0x00000012 jmp 00007F07A9060E1Eh 0x00000017 popad 0x00000018 jl 00007F07A9060E1Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C472 second address: A3C479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3E0A0 second address: A3E0A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4EE81 second address: A4EEB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jmp 00007F07A8CFD423h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F07A8CFD41Fh 0x00000015 jc 00007F07A8CFD416h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57C6E second address: A57C7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E1Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57C7F second address: A57C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567E4 second address: A567F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E1Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56A81 second address: A56A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56E59 second address: A56E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56E5D second address: A56E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56E6F second address: A56E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5797A second address: A5797F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5797F second address: A57985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57985 second address: A579A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F07A8CFD416h 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007F07A8CFD416h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 js 00007F07A8CFD424h 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D8F0 second address: A5D8F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D8F5 second address: A5D8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D43F second address: A5D443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D5BC second address: A5D601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F07A8CFD421h 0x0000000c jnp 00007F07A8CFD416h 0x00000012 jmp 00007F07A8CFD41Fh 0x00000017 popad 0x00000018 push edx 0x00000019 jo 00007F07A8CFD41Ch 0x0000001f jnc 00007F07A8CFD416h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 ja 00007F07A8CFD416h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5D601 second address: A5D605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D85B second address: A6D861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D861 second address: A6D866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6D866 second address: A6D881 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD421h 0x00000007 jns 00007F07A8CFD422h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6EF1D second address: A6EF21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71713 second address: A71720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F07A8CFD416h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71720 second address: A71737 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007F07A9060E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F07A9060E1Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71737 second address: A71747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jo 00007F07A8CFD416h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A71747 second address: A7174D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A98519 second address: A9851D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97495 second address: A9749B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9749B second address: A974A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A974A1 second address: A974AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F07A9060E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A974AB second address: A974BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F07A8CFD416h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9762D second address: A9763D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F07A9060E16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9763D second address: A97641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97784 second address: A97795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F07A9060E16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97795 second address: A977B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F07A8CFD416h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F07A8CFD425h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97EC7 second address: A97EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E28h 0x00000009 jmp 00007F07A9060E1Dh 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97EFB second address: A97F00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97F00 second address: A97F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007F07A9060E28h 0x00000010 js 00007F07A9060E16h 0x00000016 pop edi 0x00000017 jmp 00007F07A9060E25h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97F43 second address: A97F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97F47 second address: A97F58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F07A9060E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A99BDA second address: A99BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B1CD second address: A9B1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F07A9060E24h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F07A9060E1Bh 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B1F8 second address: A9B1FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B1FC second address: A9B20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C993 second address: A9C99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F07A8CFD416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C99D second address: A9C9A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C9A3 second address: A9C9EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F07A8CFD423h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jmp 00007F07A8CFD426h 0x00000012 jbe 00007F07A8CFD416h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F07A8CFD41Fh 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9C9EE second address: A9C9F8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F07A9060E16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E0EF second address: A9E117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jbe 00007F07A8CFD416h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F07A8CFD426h 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E117 second address: A9E11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA24ED second address: AA24F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA24F3 second address: AA24F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA2741 second address: AA274B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F07A8CFD41Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA3F3F second address: AA3F53 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F07A9060E1Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA3F53 second address: AA3F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA3AEA second address: AA3B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F07A9060E16h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F07A9060E16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA3B00 second address: AA3B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA3B04 second address: AA3B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F07A9060E24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D01 second address: 4BA0D4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD425h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+00000FDCh] 0x00000010 pushad 0x00000011 mov cx, 8E23h 0x00000015 call 00007F07A8CFD428h 0x0000001a mov ebx, esi 0x0000001c pop ecx 0x0000001d popad 0x0000001e test ecx, ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D4A second address: 4BA0D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D50 second address: 4BA0D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F07A8CFD41Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D60 second address: 4BA0D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A9060E1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F07A9060E6Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D7D second address: 4BA0D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D81 second address: 4BA0D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D85 second address: 4BA0D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0D8B second address: 4BA0E09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov edx, 5E8BAE28h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add eax, ecx 0x00000010 pushad 0x00000011 jmp 00007F07A9060E1Dh 0x00000016 pushfd 0x00000017 jmp 00007F07A9060E20h 0x0000001c sub esi, 75596088h 0x00000022 jmp 00007F07A9060E1Bh 0x00000027 popfd 0x00000028 popad 0x00000029 mov eax, dword ptr [eax+00000860h] 0x0000002f pushad 0x00000030 call 00007F07A9060E24h 0x00000035 mov edi, esi 0x00000037 pop eax 0x00000038 mov edi, 05308832h 0x0000003d popad 0x0000003e test eax, eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F07A9060E24h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4BA0E09 second address: 4BA0E35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F07A8CFD41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F081B1C335Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F07A8CFD425h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3F09 second address: 9B3F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8137BA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9AA1D7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9D151E instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A5D4C0 rdtsc

1_2_00A5D4C0

Source: C:\Users\user\Desktop\file.exe TID: 7816

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309537066.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A5D4C0 rdtsc

1_2_00A5D4C0

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_007F5BB0 LdrInitializeThunk,

1_2_007F5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	32%	ReversingLabs
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/-	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000001.00000002.1309825390.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000001.00000002.1309825390.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000001.00000003.1288957861.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000001.00000002.1309825390.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309776803.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288618505.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309616254.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1288957861.0000000000E12000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/z	file.exe, 00000001.00000003.1288801249.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;	file.exe, 00000001.00000003.1288801249.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1309670351.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000001.00000003.1288594750.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527894
Start date and time:	2024-10-07 11:28:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
05:29:35	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	https://sneamcomnnumnlty.com/h474823487284/geting/active	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://sneamcomnnumnlty.com/f78493482943/geting/game	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunits.com/tradeoffer/new/partner=1167404782token=DiNTF72W	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommonunity.com/gift/receive	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://sneamcomnnumnlty.com/hfjf748934924/geting/put	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcomminutty.com/giftcard/673560925668	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	https://sneamcomnnumnlty.com/h474823487284/geting/active	Get hash	malicious	Unknown	Browse	88.221.169.65
	Fact-2024-10.pdf	Get hash	malicious	Unknown	Browse	104.77.220.172
	https://gtm.you1.cn/app/381210	Get hash	malicious	Unknown	Browse	2.19.126.135
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Farahexperiences.com_Report_87018.pdf	Get hash	malicious	Unknown	Browse	104.77.220.172
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Farahexperiences.com_Report_52288.pdf	Get hash	malicious	Unknown	Browse	104.77.220.172
	https://sneamcomnnumnlty.com/f78493482943/geting/game	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommunits.com/tradeoffer/new/partner=1167404782token=DiNTF72W	Get hash	malicious	Unknown	Browse	104.102.49.254
	https://steamcommonunity.com/gift/receive	Get hash	malicious	Unknown	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	KClGcCpDAP.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	KClGcCpDAP.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	maizu v1.4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	AimBot.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	injcheat.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.952605820712659
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'848'320 bytes
MD5:	7c14dedcb000e7cd805f04fef8af5f0a
SHA1:	b956aa0d23c5c659827c8a1b69ff41bdcbbe6681
SHA256:	0bf01000fac3df8f9d90ccc7f8c6bc2e62b0df0a78cf72c5af2ef410a04b098c
SHA512:	6bfb490d1d7ea67deb9d5808f0e555e36cf408f47261fbf626aed8b9302e0540ef124d96cd3effcc7f99d7d53a6b20c6adc1e400b907974705600b471753753d
SSDEEP:	49152:pBy3pcATEs+Wz2HhAQYKmL+ZqAe34thILQgVI:3y5TEJu2BAQYKmCqJWhmQg+
TLSH:	B285333A4D60E95BD0ACF670C177D45995648AD440BCE39CCF8AE03CFFA7E920329926
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................I...........@...........................I.....V%....@.................................W...k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x89a000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F07A86DD41Ah
movlps xmm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F07A86DF415h
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007F07A86DD482h
push esi
dec edx
popad
je 00007F07A86DD47Bh
push edx
dec esi
jc 00007F07A86DD48Ah
cmp byte ptr [ebx], dh
push edx
jns 00007F07A86DD457h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007F07A86DD45Dh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007F07A86DD467h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007F07A86DD45Ch
dec eax
dec ebp
jo 00007F07A86DD453h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007F07A86DD460h
insd
jnc 00007F07A86DD480h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007F07A86DD468h
push edx
insb
js 00007F07A86DD481h
outsb
inc ecx
jno 00007F07A86DD462h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007F07A86DD45Ch
dec ebx
js 00007F07A86DD453h
jne 00007F07A86DD441h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007F07A86DD46Ch
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007F07A86DD44Ah
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007F07A86DD483h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	96d677eb6622eb983b79a5a897d0b8f4	False	0.9993876340759076	data	7.97321298613842	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x29f000	0x200	e1f1ffa5688e4e93066f5911db330b58	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tgcpoubk	0x2ff000	0x19a000	0x199c00	bf71c2b111934e67a81ff49599b142e5	False	0.9940446966519219	OpenPGP Secret Key	7.952506816455278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tlfmchnb	0x499000	0x1000	0x400	08e98531082de1d199e1ebcb55fc1da0	False	0.8173828125	data	6.229059226198496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x49a000	0x3000	0x2200	d03bda3969cb47f0806da11b3df39767	False	0.38488051470588236	DOS executable (COM)	4.21580258467839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T11:29:36.020778+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.10	54547	1.1.1.1	53	UDP
2024-10-07T11:29:36.030855+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.10	58622	1.1.1.1	53	UDP
2024-10-07T11:29:36.040395+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.10	55212	1.1.1.1	53	UDP
2024-10-07T11:29:36.050480+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.10	57116	1.1.1.1	53	UDP
2024-10-07T11:29:36.059237+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.10	61144	1.1.1.1	53	UDP
2024-10-07T11:29:36.068509+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.10	59596	1.1.1.1	53	UDP
2024-10-07T11:29:36.078177+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.10	56892	1.1.1.1	53	UDP
2024-10-07T11:29:36.093825+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.10	63887	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 11:29:36.186954975 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:36.186986923 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:36.187072039 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:36.189677000 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:36.189696074 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:36.830949068 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:36.831134081 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:36.887411118 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:36.887444973 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:36.887950897 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:36.939418077 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:36.943418026 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:36.987410069 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.646336079 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.646362066 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.646369934 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.646403074 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.646409035 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.646445036 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.646445036 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.646460056 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.646507978 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.646507978 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.654026031 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.654058933 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.654105902 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.654113054 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.654161930 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.654712915 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.654738903 CEST	443	49704	104.102.49.254	192.168.2.10
Oct 7, 2024 11:29:37.654761076 CEST	49704	443	192.168.2.10	104.102.49.254
Oct 7, 2024 11:29:37.654767990 CEST	443	49704	104.102.49.254	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 11:29:36.020777941 CEST	54547	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.028249979 CEST	53	54547	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.030854940 CEST	58622	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.038963079 CEST	53	58622	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.040395021 CEST	55212	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.049302101 CEST	53	55212	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.050479889 CEST	57116	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.058151960 CEST	53	57116	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.059237003 CEST	61144	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.067295074 CEST	53	61144	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.068509102 CEST	59596	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.077146053 CEST	53	59596	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.078176975 CEST	56892	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.085097075 CEST	53	56892	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.093825102 CEST	63887	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.102909088 CEST	53	63887	1.1.1.1	192.168.2.10
Oct 7, 2024 11:29:36.118623972 CEST	50190	53	192.168.2.10	1.1.1.1
Oct 7, 2024 11:29:36.125922918 CEST	53	50190	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 11:29:36.020777941 CEST	192.168.2.10	1.1.1.1	0x4a0	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.030854940 CEST	192.168.2.10	1.1.1.1	0xe80f	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.040395021 CEST	192.168.2.10	1.1.1.1	0xb4a9	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.050479889 CEST	192.168.2.10	1.1.1.1	0xa06c	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.059237003 CEST	192.168.2.10	1.1.1.1	0x863a	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.068509102 CEST	192.168.2.10	1.1.1.1	0xa0c8	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.078176975 CEST	192.168.2.10	1.1.1.1	0xe0f	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.093825102 CEST	192.168.2.10	1.1.1.1	0x4626	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.118623972 CEST	192.168.2.10	1.1.1.1	0x318	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 11:29:36.028249979 CEST	1.1.1.1	192.168.2.10	0x4a0	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.038963079 CEST	1.1.1.1	192.168.2.10	0xe80f	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.049302101 CEST	1.1.1.1	192.168.2.10	0xb4a9	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.058151960 CEST	1.1.1.1	192.168.2.10	0xa06c	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.067295074 CEST	1.1.1.1	192.168.2.10	0x863a	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.077146053 CEST	1.1.1.1	192.168.2.10	0xa0c8	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.085097075 CEST	1.1.1.1	192.168.2.10	0xe0f	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.102909088 CEST	1.1.1.1	192.168.2.10	0x4626	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 11:29:36.125922918 CEST	1.1.1.1	192.168.2.10	0x318	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49704	104.102.49.254	443	7312	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 09:29:36 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-07 09:29:37 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 07 Oct 2024 09:29:37 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=eaedea017b443af5895aa815; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-07 09:29:37 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-07 09:29:37 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	1
Start time:	05:29:34
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7b0000
File size:	1'848'320 bytes
MD5 hash:	7C14DEDCB000E7CD805F04FEF8AF5F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	62.7%
Total number of Nodes:	51
Total number of Limit Nodes:	6

Executed Functions

Function 007F50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 007F5182

Strings

<I$), xrefs: 007F52E3
@^, xrefs: 007F5120
<I$), xrefs: 007F5198

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 76f37bbfae62359897c242c4310cfff7dc541f5a4f8fb6c9446e5bb4a4e1a960
Instruction ID: b31937b6122b63eaa59c5eed816bd10c493c41460c5ac04704a5e88457ec0842
Opcode Fuzzy Hash: 76f37bbfae62359897c242c4310cfff7dc541f5a4f8fb6c9446e5bb4a4e1a960
Instruction Fuzzy Hash: C721A1351083848FC340DF68E88072AFBE4BB56300F69982CE2C5D7362D735DA15CB56

Function 007BFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 007BFEDC
t, xrefs: 007BFCBE
VY^_, xrefs: 007BFDFF
J|BJ, xrefs: 007C000D

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: fc0f17b1bd8e5907ae1371b1f04d3418fe24ac775960893e263bea03f7d9fa6f
Instruction ID: fc9177cf243346928342c2d21b57f3679338e295be890f2f203217f2d4af14bb
Opcode Fuzzy Hash: fc0f17b1bd8e5907ae1371b1f04d3418fe24ac775960893e263bea03f7d9fa6f
Instruction Fuzzy Hash: 59D157B45083849BD311DF189894B6FFBE2AB96B44F18881CF5C98B252D339CD49DBD2

Function 007BD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 007BD2F1

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 9e257bf70cc25194392f08eac4d0b1933a94a58ae7c400ee85a74afcd7bd6939
Instruction ID: ba296ed121b893c2085a9ffd5b753e568c8acc8d7fe2272fab38004ffdc6d680
Opcode Fuzzy Hash: 9e257bf70cc25194392f08eac4d0b1933a94a58ae7c400ee85a74afcd7bd6939
Instruction Fuzzy Hash: A241567440D380ABC311BB68D699A6EFBF5AF56704F148C1CE5C497212E33ADC109B67

Function 007F5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 007F5784

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 060eba7f93a9ecad3a8b2b3c7d1bf156dba76bf3a9ca0aabdeda0f511bb8d670
Instruction ID: 025e2b263f197db58e88998e5d04641feee83b5119b7829d3f3e66993b3c4d32
Opcode Fuzzy Hash: 060eba7f93a9ecad3a8b2b3c7d1bf156dba76bf3a9ca0aabdeda0f511bb8d670
Instruction Fuzzy Hash: 1E11A37151C640EBC301AF18E845A2BBBF5AF96710F058828E6C49B311D339D810CBA3

Function 007F5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(007F973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 007F5BDE

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 007F695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 007F69C5

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b11e406fe5f8e0cd20c2cde084ed023cdea498774b1ccbe23276c49bca6d26b
Instruction ID: 8b25c83cf31b7db4a13830a311ecedc311d4f9cec3d7353806b601f180fbce7e
Opcode Fuzzy Hash: 4b11e406fe5f8e0cd20c2cde084ed023cdea498774b1ccbe23276c49bca6d26b
Instruction Fuzzy Hash: C93185B15183059FD758DF28C8A063BB7E1FF85344F48981CE6C6A73A1E3399904CB56

Function 007C049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168bb8c2c31b5c68e140aff0f94a560898131bf92b0e94aaf8bb6698d87ee4e3
Instruction ID: 220be59588d0bc9b367a7c9504876bb9df7d95c0fee090c93116022cf2d0210d
Opcode Fuzzy Hash: 168bb8c2c31b5c68e140aff0f94a560898131bf92b0e94aaf8bb6698d87ee4e3
Instruction Fuzzy Hash: 0B917B75200B00DFD724CF25E894B26B7F6FF89310B118A6DE9568BAA1DB35F815CB90

Function 007C0228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c52155d7688fcda5cac33031bbd0d57c8f8c979bd8c369e9d75ec7242e308e6
Instruction ID: 0deac838866e16802c425d789fd0e11a7cddca6254b494d277e2a05712b23c0f
Opcode Fuzzy Hash: 5c52155d7688fcda5cac33031bbd0d57c8f8c979bd8c369e9d75ec7242e308e6
Instruction Fuzzy Hash: 64716874201700DFD7248F21E894F26B7B6FF49314F10C96CE9568B662DB39A815CBA4

Function 007F99D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68573331fc0ae032d7f59b8ced49e4fd5c8ba4cddd1df01b6852ebfbbaa4e9f
Instruction ID: 520399518d7675c1cc2961d86164e2ae2106c80cfc7d0ab6d760eb4d72679cba
Opcode Fuzzy Hash: c68573331fc0ae032d7f59b8ced49e4fd5c8ba4cddd1df01b6852ebfbbaa4e9f
Instruction Fuzzy Hash: EA419C74608348ABDB149A19E890B3BF7E6EB85714F14882CE78A97351D339E811DB62

Function 007F63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5018e3848644ed853ba0708d11fcaee3fa19bcf2a6e9e7a2ecacf88dd3876d91
Instruction ID: 54993060ecdd4a519efa76b4d5036da15dae68db0b32973adec26bffcede3276
Opcode Fuzzy Hash: 5018e3848644ed853ba0708d11fcaee3fa19bcf2a6e9e7a2ecacf88dd3876d91
Instruction Fuzzy Hash: F431D270649345BADA24EB08CD82F3BB7A6FB81B11F64850CF3815B3E1D374A8119B52

Function 007F3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 007F32A6

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ffca32e16e2844d4c4509af4b3e6daccbead3b85c9bb2564c0c8e7f6ec980a6c
Instruction ID: 9d2bc004820bf3d97c7b6b85a5d608e2603645296c49bf0ef754a49e03886250
Opcode Fuzzy Hash: ffca32e16e2844d4c4509af4b3e6daccbead3b85c9bb2564c0c8e7f6ec980a6c
Instruction Fuzzy Hash: 6F01FB3450D240DBC741AB58E895A2ABBE8FF5A700F05891CE6C58B361D339DD64DB92

Function 007F3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 007F3208

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b5db1323296a90932dec6d561b0591df6f5919e265a4853769882d2e90841ef2
Instruction ID: e25470c870c0d355199ee37b9f80e0be65455f43b7123ef48d72832bc688fbbc
Opcode Fuzzy Hash: b5db1323296a90932dec6d561b0591df6f5919e265a4853769882d2e90841ef2
Instruction Fuzzy Hash: ACB012300401005FDA041B00EC0BF003510FB00605F800050B100040B1D1615864C555

Non-executed Functions

Function 007E23E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

3<, xrefs: 007E32D6
|}&C, xrefs: 007E2F21
`tii, xrefs: 007E2693
:, xrefs: 007E32DD
Cx, xrefs: 007E453D
ggxz, xrefs: 007E2685
{l`~, xrefs: 007E268C
Mw, xrefs: 007E344B, 007E4861
aenQ, xrefs: 007E276A
fedc, xrefs: 007E2782
%*+(, xrefs: 007E40EF
mlc@, xrefs: 007E275C
f@~!, xrefs: 007E25FF

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$Mw
API String ID: 0-179838136
Opcode ID: 25f93ccb8242813476916efe2e023c9ee8247340fa9e8ea3f2f3c933ad7d4647
Instruction ID: e8e02378d01e85aacc72d482d87b9cfbe324053ed03c4ad3ba54c179101f3081
Opcode Fuzzy Hash: 25f93ccb8242813476916efe2e023c9ee8247340fa9e8ea3f2f3c933ad7d4647
Instruction Fuzzy Hash: B733CC70505B81CFD7258F3AC594762BBE1BF1A304F58899DD4DA8BB92C339E806CB61

Function 007CDB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

D, xrefs: 007CE846
lkji, xrefs: 007CE73E
WP, xrefs: 007CDCEF
dcba, xrefs: 007CE728
xgfe, xrefs: 007CE71D
`onm, xrefs: 007CE733
()./, xrefs: 007CE9CA
89>?, xrefs: 007CE9F6
tsrq, xrefs: 007CE6FC
LKJI, xrefs: 007CE6E6
|, xrefs: 007CECB1
DCBA, xrefs: 007CE887, 007CE896
89&', xrefs: 007CE93B
<=2, xrefs: 007CEA01
@ONM, xrefs: 007CE6DB
tuJK, xrefs: 007CE967
AR, xrefs: 007CDD10
mjkh, xrefs: 007CE7D8
QNOL, xrefs: 007CE775
<=:;, xrefs: 007CE930
%*+(, xrefs: 007CDE37, 007CDE46
T, xrefs: 007CF157
:WUE, xrefs: 007CF6B7, 007CF6C6
`Y^_, xrefs: 007CE99E

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 2c4df94ac9451adb9048cb9f3b3168121dfb7214e4eead71e46e68e7ff627f25
Instruction ID: 6294fee2df1369cea3745325aec2e61d1cfd6bf8115afd91e774eada89976e40
Opcode Fuzzy Hash: 2c4df94ac9451adb9048cb9f3b3168121dfb7214e4eead71e46e68e7ff627f25
Instruction Fuzzy Hash: 33F288B05093819FD770CF14C884BABBBE6BFD5304F14482DE5C98B252EB399995CB92

Function 007D9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

hi, xrefs: 007DAB9D
=], xrefs: 007DA36A
]{, xrefs: 007DA1E7, 007DA1F3
CG, xrefs: 007DAA32
kW, xrefs: 007DA380
N[, xrefs: 007DA375
Gt, xrefs: 007D9FF8
S], xrefs: 007DA636
(a*c, xrefs: 007DA147
?m,o, xrefs: 007DA13C
/), xrefs: 007DA66D
_Y, xrefs: 007DA641
JG, xrefs: 007DAA27
WH, xrefs: 007DAA1C
%e6g, xrefs: 007DA152
WQ, xrefs: 007DA62B
sm, xrefs: 007DA830

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 36ede07c81b1b030798b3b6bdca401975080cd2a21eac9ed7c4ac451a23bfd75
Instruction ID: 203adee518630ce89725564151addebb7b7a80d38d173becf2457b161e108cfd
Opcode Fuzzy Hash: 36ede07c81b1b030798b3b6bdca401975080cd2a21eac9ed7c4ac451a23bfd75
Instruction Fuzzy Hash: 5852C6B404D385CAE270CF25D585B8EBAF1BB92740F608A1EE1ED9B255DBB48045CF93

Function 007D9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

G'M!, xrefs: 007D9ADB
;IJK, xrefs: 007D983E
T#a-, xrefs: 007D9AE3
z=Q?, xrefs: 007D9826
8;, xrefs: 007D9B13
B7U1, xrefs: 007D9AFB
B?Q9, xrefs: 007D9B0B
!E4G, xrefs: 007D9836
pq, xrefs: 007D99E0
,A&C, xrefs: 007D982E
X/R), xrefs: 007D9AEB
2A"_, xrefs: 007D9980
L3Y=, xrefs: 007D9B03
?M0K, xrefs: 007D9968
G+X5, xrefs: 007D9AF3
O+f), xrefs: 007D9634, 007D963D

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: b15d930064b91307b50c92c9deed3788476c65cc13032a6b720f64f7735bc6b7
Instruction ID: 8716585ba4bd3109c9b98477afb6b2cbbf35f2003c4dce8d36980f67a6e35711
Opcode Fuzzy Hash: b15d930064b91307b50c92c9deed3788476c65cc13032a6b720f64f7735bc6b7
Instruction Fuzzy Hash: 02F13DB0508380ABD310DF15D881A2BBBF4BB86B48F044D1DF5D99B352E378D908DBA6

Function 007DDD29 Relevance: 18.6, Strings: 14, Instructions: 1142COMMON

Download Yara Rule

Strings

,Q?S, xrefs: 007DE26F
<Y.[, xrefs: 007DE27D
-M2O, xrefs: 007DE25A
}, xrefs: 007DE9C5
}, xrefs: 007DE403, 007DE664, 007DE7BD
{E, xrefs: 007DE323
Y9N;, xrefs: 007DE245
upH}, xrefs: 007DDE8A, 007DE798, 007DDF4A
hX]N, xrefs: 007DDDC7
%*+(, xrefs: 007DE143
=]+_, xrefs: 007DE276
)IgK, xrefs: 007DE261
n\+H, xrefs: 007DDDC0
r}, xrefs: 007DE92E

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: }$%*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$r}$upH}${E$}
API String ID: 0-1262826793
Opcode ID: 00b77bb3f81056314e22ba2c28e7910cb25d84460851a7e747513da372e292c7
Instruction ID: a5206c05454854f5d37a0e613dabe4d6f5aa22cf68a87858bdf55997ae19b06a
Opcode Fuzzy Hash: 00b77bb3f81056314e22ba2c28e7910cb25d84460851a7e747513da372e292c7
Instruction Fuzzy Hash: 7A921671E00205CFDB15CF68D8957AEBBB2FF49320F298169E456AB391D739AD01CB90

Function 00969FB1 Relevance: 11.6, Strings: 8, Instructions: 1610COMMON

Download Yara Rule

Strings

_q>, xrefs: 0096A59B
zw8, xrefs: 0096AA41
>?, xrefs: 0096A66F
7L?w, xrefs: 0096A778
V no, xrefs: 0096AFE1
6/~}, xrefs: 0096A05E
Ybc_, xrefs: 0096AB4A
A_}, xrefs: 0096B061

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: >?$zw8$6/~}$7L?w$A_}$V no$Ybc_$_q>
API String ID: 0-3142444696
Opcode ID: c289b45f8d44ea34c382c216b61aa63ed5dc3d297a903c82083c4c072087a237
Instruction ID: 50deac01b85383183709c1c5d07b2d06a858ee73ec9939ad4ef2928faa3b1079
Opcode Fuzzy Hash: c289b45f8d44ea34c382c216b61aa63ed5dc3d297a903c82083c4c072087a237
Instruction Fuzzy Hash: D7B21AF3A0C6149FE3046E2DDC8567AFBE5EF94720F1A4A3DEAC4C3744EA3558018696

Function 007D098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

&> &, xrefs: 007D0F89
{, xrefs: 007D1502
,#15, xrefs: 007D0F94
9.5^, xrefs: 007D0F9F
gce/, xrefs: 007D1073
qrqp, xrefs: 007D1089
cah`, xrefs: 007D107E
%*+(, xrefs: 007D0A77, 007D0A86

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: bcb2a1f42e58ead69c9bcdc4a8b22c32f8e76eda48068941725b0c9e3e385fc5
Instruction ID: ad819d3a19de0b9d658849b3313167d655bea3b9473133a448bf8cf168ae93b8
Opcode Fuzzy Hash: bcb2a1f42e58ead69c9bcdc4a8b22c32f8e76eda48068941725b0c9e3e385fc5
Instruction Fuzzy Hash: AE6289B16083818BD730CF14D895BABB7F1FB96314F08492EE49A8B741E7799940CB93

Function 007B1000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 007B2297
gfff, xrefs: 007B2226
@, xrefs: 007B2C40
0123456789ABCDEFXP, xrefs: 007B157D, 007B15EB
gfff, xrefs: 007B22E1
-, xrefs: 007B21ED
0123456789abcdefxp, xrefs: 007B1587, 007B15F8

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 38c7d8381a39a0d6c72c6aafb1800531883d99276c7a99e75a8b454edefb7865
Instruction ID: 8349c7a392ed030ee16922892dbee73b13dd6265e8927741e79e09d29e1b72e5
Opcode Fuzzy Hash: 38c7d8381a39a0d6c72c6aafb1800531883d99276c7a99e75a8b454edefb7865
Instruction Fuzzy Hash: 0FD208716093418FD718CE28C4943AABBE2AFD5314F58CA2DE599C7392D738DD46CB82

Function 00975D4E Relevance: 10.4, Strings: 7, Instructions: 1672COMMON

Download Yara Rule

Strings

'8[, xrefs: 00977027
Vry_, xrefs: 00976A56
Fmyy, xrefs: 00975ED8
w*@, xrefs: 0097622A
Aaqm, xrefs: 00977112
"6w, xrefs: 00976475
psm, xrefs: 00975EC1

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: "6w$'8[$Aaqm$Fmyy$Vry_$w*@$psm
API String ID: 0-4011509943
Opcode ID: c41ab1ab9ba91a0487b168163e4bea02ba3d7ecaada1c1a4916faeeee06d8d61
Instruction ID: 92f61995dea843a5ebc4d1eb9981c53fde46671789385f20f082e3ca720765c7
Opcode Fuzzy Hash: c41ab1ab9ba91a0487b168163e4bea02ba3d7ecaada1c1a4916faeeee06d8d61
Instruction Fuzzy Hash: 73B23CF3A0C2009FE704AE2DEC8567ABBD9EF94720F1A853DE6C4C7744E93598058697

Function 00972851 Relevance: 10.4, Strings: 7, Instructions: 1629COMMON

Download Yara Rule

Strings

I!@, xrefs: 009733CD
#k[o, xrefs: 00972C7A
%ynn, xrefs: 009737A5
`<O, xrefs: 0097359F
~7, xrefs: 009739C6
W%O, xrefs: 00973817
Km, xrefs: 0097313B

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: Km$#k[o$%ynn$I!@$W%O$`<O$~7
API String ID: 0-218331199
Opcode ID: deeba3e3eef896acf311965d9d20e605e08bd4c2962ee5a6f527997e95af07c0
Instruction ID: 1d90d54c997f018bc0ec3af009643d2816d07d25492f5589296af7a72a0050ee
Opcode Fuzzy Hash: deeba3e3eef896acf311965d9d20e605e08bd4c2962ee5a6f527997e95af07c0
Instruction Fuzzy Hash: A2B206F360C6049FE304BF29EC8567ABBE9EF94320F164A3DE6C4C7744EA3558058696

Function 0096D5F2 Relevance: 9.1, Strings: 6, Instructions: 1614COMMON

Download Yara Rule

Strings

>V{;, xrefs: 0096DC38
3d}, xrefs: 0096E8D4
BK?, xrefs: 0096E5D0
zSni, xrefs: 0096D7B4
R7z7, xrefs: 0096E8C1
*N], xrefs: 0096E646

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: *N]$3d}$>V{;$BK?$R7z7$zSni
API String ID: 0-1536134922
Opcode ID: cf8b1420c8b246b4400123ebd366bccbff4d2b61b239602270a7d4e58388ec7b
Instruction ID: 4876cddaf9ac6d2a9c3512a09d619452c465e3f30c2450dc40f135b2162822c9
Opcode Fuzzy Hash: cf8b1420c8b246b4400123ebd366bccbff4d2b61b239602270a7d4e58388ec7b
Instruction Fuzzy Hash: 33B207F360C6049FE3046E2DEC8567ABBE9EFD4320F1A4A3DE6C4C7744EA3558058696

Function 009793F0 Relevance: 7.9, Strings: 5, Instructions: 1692COMMON

Download Yara Rule

Strings

8f, xrefs: 0097A3E5
1P!/, xrefs: 0097A2A5
zbT, xrefs: 00979D9E
vbT, xrefs: 00979D99
7~n, xrefs: 00979F80

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: 7~n$1P!/$8f$vbT$zbT
API String ID: 0-3721075919
Opcode ID: e519dc4a3bfd3d86f0ad9ef8c3f5c4b067a81e507d2b612ba5b4ed1b128996f6
Instruction ID: db7311b09912312b53125300eea8303b956c5c35a49e5b6b1d45f868f7bef820
Opcode Fuzzy Hash: e519dc4a3bfd3d86f0ad9ef8c3f5c4b067a81e507d2b612ba5b4ed1b128996f6
Instruction Fuzzy Hash: 46B22AF3A082049FD7046E2DDC4567AFBE9EFD4720F1A893DEAC4C7744EA3598018696

Function 00974318 Relevance: 7.8, Strings: 5, Instructions: 1539COMMON

Download Yara Rule

Strings

}X4, xrefs: 00975157
5_, xrefs: 009748BE
f%/, xrefs: 00974E7F
{@o, xrefs: 009751C4
&r, xrefs: 009746AD

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: &r$5_$f%/${@o$}X4
API String ID: 0-3886111343
Opcode ID: b032c0d1aa88071abb2af1740a481830b3fc443b2bd35f8cc8bde5558073219e
Instruction ID: fe291f107d193ca0810c557457c22ebb1be101c8ce0b8e3d1b6ef59bc17aaae3
Opcode Fuzzy Hash: b032c0d1aa88071abb2af1740a481830b3fc443b2bd35f8cc8bde5558073219e
Instruction Fuzzy Hash: 7DB2F5F3A0C2049FE704AF29DC8567ABBE5EF94720F1A893DE6C4C3344E63598518697

Function 0096BD10 Relevance: 7.7, Strings: 5, Instructions: 1427COMMON

Download Yara Rule

Strings

5.?}, xrefs: 0096C533
P[s, xrefs: 0096CAB0
/iIf, xrefs: 0096C055
1.?}, xrefs: 0096C52E
4?', xrefs: 0096C15D

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: /iIf$1.?}$4?'$5.?}$P[s
API String ID: 0-487152577
Opcode ID: 8bf736ecf10917f3a3da3365a6b02dfbb8968b981046a85e3c828563d2f0db32
Instruction ID: 5bc70be2c0a69528ce89d0bc4dade59b1e68a0c1fac24062c3153b77a94a23ae
Opcode Fuzzy Hash: 8bf736ecf10917f3a3da3365a6b02dfbb8968b981046a85e3c828563d2f0db32
Instruction Fuzzy Hash: ED9228F360C3049FE704AE2DEC8567AFBE9EB94360F16463DEAC4C7744EA3558048696

Function 007B12F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 007B1E88
i, xrefs: 007B28EA
@, xrefs: 007B3531
0, xrefs: 007B243E
0, xrefs: 007B1DC1

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 8f0ea6b06dc8a4cc0587fcb2d150ccb335e5d3b8d6ca870b58a74e11c190aa94
Instruction ID: be2b6b9aa2b34cbe5fb198167e5de0e84bfabecfa1b6aed9661ed3c19872ca15
Opcode Fuzzy Hash: 8f0ea6b06dc8a4cc0587fcb2d150ccb335e5d3b8d6ca870b58a74e11c190aa94
Instruction Fuzzy Hash: DC62D47160D3818FD319CF28C4947AABBE1AFD5304F188E6DE8D987292D778D946CB42

Function 007B164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

+, xrefs: 007B1573
gfff, xrefs: 007B1F57
gfff, xrefs: 007B1F3C
0123456789ABCDEFXP, xrefs: 007B164F
0123456789abcdefxp, xrefs: 007B1659

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 1a563f60876ccfb10b2685fdd47098a0150eac71a62e366b2c2ee73b211a7dce
Instruction ID: b29d7e8a9912717387fdbe45d3dcaa208023827bcbb7baa440ea64a92568b150
Opcode Fuzzy Hash: 1a563f60876ccfb10b2685fdd47098a0150eac71a62e366b2c2ee73b211a7dce
Instruction Fuzzy Hash: 13F1A13160D3818FC719CE28C4943AAFBE2AFD9304F588A6DE4D987356D738D945CB92

Function 009683D6 Relevance: 6.7, Strings: 4, Instructions: 1659COMMON

Download Yara Rule

Strings

p_, xrefs: 00968E04
*w, xrefs: 009690F0
nr6, xrefs: 0096927B
qs5, xrefs: 00969602

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: p_$nr6$*w$qs5
API String ID: 0-4228794769
Opcode ID: 9914bd3f0af56f4b4e63bffa152e0192df7b1bac82c8e1cc83c3ab185d8804ce
Instruction ID: 1f41090e09d45d59dfc1781b17efad9c91eafe33b185e1192c8defe44e7edc70
Opcode Fuzzy Hash: 9914bd3f0af56f4b4e63bffa152e0192df7b1bac82c8e1cc83c3ab185d8804ce
Instruction Fuzzy Hash: 10B2F4F360C2049FE304AE2DEC8567ABBE9EF94720F1A493DE6C4C7744EA3558418697

Function 007B13A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

-, xrefs: 007B1F23
gfff, xrefs: 007B1F57
gfff, xrefs: 007B1F3C
0123456789ABCDEFXP, xrefs: 007B13A3
0123456789abcdefxp, xrefs: 007B13AD

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: aa9d7c9bdcee1e889505aa72bbd6248e4dbfd403c3940606d0d183962a18dd5e
Instruction ID: 64932a27b3794b4755f6e9811b035d1f2d6ccfe0641d8b107d644250224646e1
Opcode Fuzzy Hash: aa9d7c9bdcee1e889505aa72bbd6248e4dbfd403c3940606d0d183962a18dd5e
Instruction Fuzzy Hash: 92D1BE3160D3818FC719CE29C4943AAFBE2AFD9304F48CA6DE4D987356D638D949CB52

Function 007DFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

m1s3, xrefs: 007DFEC3, 007DFECB
NA_I, xrefs: 007E036D
uvw, xrefs: 007DFE95
:, xrefs: 007E0087

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 0f4e28490e06ce41420eb24825d8db17f76b77683bed28ceb7f5053826d7bf5f
Instruction ID: f1c25c8a37d940bd85370c5328fd88086d770df83172927aff3afc6286ac73e0
Opcode Fuzzy Hash: 0f4e28490e06ce41420eb24825d8db17f76b77683bed28ceb7f5053826d7bf5f
Instruction Fuzzy Hash: 9732CAB0509380DFD701DF29D884B2ABBE5BB8A310F14892CF5D58B2A2D379D955CF92

Function 007C3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

p, xrefs: 007C3C80
;z, xrefs: 007C3C87
ss, xrefs: 007C3C79
%*+(, xrefs: 007C3EC4

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 33c443adc116a68b5c3b89068b420a0fda8ebdf1c3e58015b4c2a76db5c233ba
Instruction ID: a8ccb2d9146228b1c9ddf95e866b710e24b4c7ccace5584ccc16a7559a5258b6
Opcode Fuzzy Hash: 33c443adc116a68b5c3b89068b420a0fda8ebdf1c3e58015b4c2a76db5c233ba
Instruction Fuzzy Hash: 71024CB4810B00DFD760DF28D986B56BFF5FF05300F50895DE89A9B656E334A815CBA2

Function 009778E4 Relevance: 5.4, Strings: 3, Instructions: 1656COMMON

Download Yara Rule

Strings

OB|~, xrefs: 00978B91
Smsw, xrefs: 00978437
S9Ey, xrefs: 00977F49

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: OB|~$S9Ey$Smsw
API String ID: 0-1545831529
Opcode ID: d547bdff666cb09ae9979421322dfb4472d3ebe0e887df5846a0836a782b4c2a
Instruction ID: 8973ecfc293adf8477fcee2726d6bef367235aa64b80745cddb7cbc2ab97ed49
Opcode Fuzzy Hash: d547bdff666cb09ae9979421322dfb4472d3ebe0e887df5846a0836a782b4c2a
Instruction Fuzzy Hash: 56B208F360C2009FE304AE2DEC8567AFBE9EF94720F16893DE6C4C7744EA7558418696

Function 007D2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

lc, xrefs: 007D2507
sj, xrefs: 007D2327
hu, xrefs: 007D232F
a|, xrefs: 007D2317

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 023f1a7bdde8624cffd46637b88c9641621643b139054952c9ea02f55871973d
Instruction ID: c9262d360e8b61b26553ebc3bf3c5eb1498d0df584c2c48d2caf5766890cec12
Opcode Fuzzy Hash: 023f1a7bdde8624cffd46637b88c9641621643b139054952c9ea02f55871973d
Instruction Fuzzy Hash: 74A18B704083418BC720DF18C891A2BB7F0FFA5754F588A4DE8D59B392E339D952CB96

Function 00970CEF Relevance: 5.4, Strings: 3, Instructions: 1606COMMON

Download Yara Rule

Strings

v_~, xrefs: 0097168C
%Rc_, xrefs: 009714B3
:Zsb, xrefs: 00970E39

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %Rc_$:Zsb$v_~
API String ID: 0-640547195
Opcode ID: b64ab8c6610b6ffa79dddb15a0ebffa6c019dd171935cca66b4ad4c111c669ca
Instruction ID: 3a757eac805a33c5e443ebdaa86c6d7ab2cc5ff760da1a08d062d03249160e47
Opcode Fuzzy Hash: b64ab8c6610b6ffa79dddb15a0ebffa6c019dd171935cca66b4ad4c111c669ca
Instruction Fuzzy Hash: C1B2E6F360C2009FE704AE2DEC8567ABBE9EF98720F1A893DE6C4C3744E63558458657

Function 007DD7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

T>, xrefs: 007DD984
KV, xrefs: 007DD97D
#', xrefs: 007DD9EA
CV, xrefs: 007DD98B

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 16372cef1ab346bc6d766b4df7ed4c2d874b2c302366e838b7c85ac5e4d55f8b
Instruction ID: ca7da0292c750676825a266661851029d754a493c6cf1248f3295cfa9a2f8037
Opcode Fuzzy Hash: 16372cef1ab346bc6d766b4df7ed4c2d874b2c302366e838b7c85ac5e4d55f8b
Instruction Fuzzy Hash: 388155B48017459BCB20DFA6D28516EBFB1FF16300F60460DE4866BB55D334AA65CFE2

Function 007DAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 007DAD07, 007DAD13
(g6e, xrefs: 007DACA1
lk, xrefs: 007DACBC
4c2a, xrefs: 007DACA9

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 2b47288d9d0ffbd8175bc938dea909098e0060e8f284a81086a8f2ea554eef9d
Instruction ID: 192b7b0c3dc73288c98fee8c40e7ab26f451139a5b3f0ee674f7e4841f3ee37f
Opcode Fuzzy Hash: 2b47288d9d0ffbd8175bc938dea909098e0060e8f284a81086a8f2ea554eef9d
Instruction Fuzzy Hash: B641A6B4408382DBDB209F20D804BABB7F0FF86305F54995EE6C897264EB35D944CB96

Function 007DC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007DC8C3, 007DC8CB
~/i!, xrefs: 007DC537
%*+(, xrefs: 007DC9E4, 007DC9ED

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 532987d0d4540d3020a3d57fd5a274a9e7bfd8d312fa19ede23d2fbdb0d84428
Instruction ID: 78b802e3f3766fd16ebe3c37ffa091793d1ffc07bb06c958c3d81640aed1a81d
Opcode Fuzzy Hash: 532987d0d4540d3020a3d57fd5a274a9e7bfd8d312fa19ede23d2fbdb0d84428
Instruction Fuzzy Hash: ABE1A5B1509340DFE7209F24D885B2BBBF5FB95350F48882DF6998B251D73AD810CBA2

Function 007B8590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 007B8616
), xrefs: 007B860C
IEND, xrefs: 007B89F0

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: ac4fc0cb2926ea8744d4bbddff7a053388b2423c3d32e77a4be01948e66b0567
Instruction ID: 885894f13048c678d8733e74fd4f5b7f34227a62b64fdc5b797935cdc65c260e
Opcode Fuzzy Hash: ac4fc0cb2926ea8744d4bbddff7a053388b2423c3d32e77a4be01948e66b0567
Instruction Fuzzy Hash: 2EE1C1B1A087019FE350CF28C8857AABBE4BB94314F14892DF59597382DB79E914CBC3

Function 0096F9CC Relevance: 3.3, Strings: 2, Instructions: 848COMMON

Download Yara Rule

Strings

"X~, xrefs: 0096FE03
*Yyr, xrefs: 0096FB21

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: "X~$*Yyr
API String ID: 0-1563592872
Opcode ID: d4987c693bb742459fc69eceb94d3f7c43c4cb71cfaa644222fe77f862a6fa5c
Instruction ID: f2089b341b7d14c320577709c7bc43f11efbadaabda0ce17e2f1b9ef6e7c032d
Opcode Fuzzy Hash: d4987c693bb742459fc69eceb94d3f7c43c4cb71cfaa644222fe77f862a6fa5c
Instruction Fuzzy Hash: 414229F3A0C2005FE308AE2DECD577AB7D6EBD4320F19863DE685C7744E93598058696

Function 007F4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

f, xrefs: 007F420C
%*+(, xrefs: 007F40A4, 007F40AD

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 71ba550fcc076d7dd58047cb9ace800a228d9737dec3cabf5775e7b985bd6589
Instruction ID: 0afc7d0182110964ac66cd370640123d85cb192afdede28500987e2b4a8896e2
Opcode Fuzzy Hash: 71ba550fcc076d7dd58047cb9ace800a228d9737dec3cabf5775e7b985bd6589
Instruction Fuzzy Hash: C8127A716083459FC715CF18C880B2BBBE6BB89314F188A2CF6959B391D739E9458B92

Function 007EF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 007EF7F5
hi, xrefs: 007EF6E6

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 97cce9e3bfd0779376f707804b5cb0cf2736b2fe497b0db3b525b3ad602c2429
Instruction ID: 2ad4d03aa019e9894b3348a9b82156bbb90ff6f70831694ae8e9af62b44b1190
Opcode Fuzzy Hash: 97cce9e3bfd0779376f707804b5cb0cf2736b2fe497b0db3b525b3ad602c2429
Instruction Fuzzy Hash: 74F19771619342EFE314CF25D895B2ABBF5FB8A344F14892CF1858B2A1DB38D945CB12

Function 007B35B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 007B3607
NaN, xrefs: 007B360E

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 44fbd7745a17806140eb8a34e1ea7386a139a1ba7557acdd3b4e67f5150a6b9c
Instruction ID: 37b1029969e5256447ed8bf0120772e0ab616cf845e458c2b2a4ad210d21a113
Opcode Fuzzy Hash: 44fbd7745a17806140eb8a34e1ea7386a139a1ba7557acdd3b4e67f5150a6b9c
Instruction Fuzzy Hash: CBD1E571A083119BC714CF28C88075EBBE5EFC8750F258A2DF999973A0E779DD458B82

Function 0097B09E Relevance: 2.9, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

Strings

5kw, xrefs: 0097B8B2

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: 5kw
API String ID: 0-2739799210
Opcode ID: 9f434023b6742ab70777b6498da4ee5dfdc6a07445a1576c047d5fc3c45f8de9
Instruction ID: 71048917655a96ac0ba81a492dcd42f51d3bc95d75a7c5bfa31f39ad9295e68b
Opcode Fuzzy Hash: 9f434023b6742ab70777b6498da4ee5dfdc6a07445a1576c047d5fc3c45f8de9
Instruction Fuzzy Hash: E0B219F360C2009FE304AE2DEC8567ABBE9EF94760F1A893DE6C4C7744E63558458792

Function 007CFFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 007D00F6
BaBc, xrefs: 007D0197

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 18cf4ab0c20daa468583d32215c668c1acd490e345ff92fb9016bba4af995344
Instruction ID: b5b21d6aab0b5cf3912a68211575bc91984dd67241b75c95ea889a16e3bed3a5
Opcode Fuzzy Hash: 18cf4ab0c20daa468583d32215c668c1acd490e345ff92fb9016bba4af995344
Instruction Fuzzy Hash: 0E519BB16093819BD3318F14C885BABB7F0FF96310F08991EE4999B751E3789940CBA7

Function 007B5160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 007B54C8

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 9541c3c75a691a165c83691a2ad1aa2c0da870ebbb46a47ae789ca4dce24a3c6
Instruction ID: 6183d5bcc8646938d07671b3fb884a77d1099281d048ea3e8f8afa8c2691d682
Opcode Fuzzy Hash: 9541c3c75a691a165c83691a2ad1aa2c0da870ebbb46a47ae789ca4dce24a3c6
Instruction Fuzzy Hash: 662207B6A08B42CBE7258E18D8407A7BBE3AFE0318F1D856DD8598B341EB79DC45C741

Function 007E12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 007E15D1

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 8191c525f8cac9e9f26040cf3011cca708ffc097e2ae0669ec7d84e92a60abdf
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 58F15871A093818FC724CE26C45267BBBE6AFC9350F5CC56DE89987382D638DD04C792

Function 007DAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007DB2D3, 007DB2DB

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f3f3e8a84d173ec30707bd2a3d1ad2d8d528aea3f76be084a1009f4b735ba110
Instruction ID: 87fd1ef4c72468a1de7bf695c8f75b973dae08e1b620a882c19472db1c42b88d
Opcode Fuzzy Hash: f3f3e8a84d173ec30707bd2a3d1ad2d8d528aea3f76be084a1009f4b735ba110
Instruction Fuzzy Hash: 32E1A571508306DBC724DF28C88066AB7F2FF98791F55891DE4C587320E339E959DB82

Function 007C6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007C6EF3

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 1756aecd875c7367292ef872595b4f1bca3fa73aa5e824dd94e84fd528c441bc
Instruction ID: ca4a780115d6e9dc4c366fef90efa925d752edc741411111091c86ea730b02fa
Opcode Fuzzy Hash: 1756aecd875c7367292ef872595b4f1bca3fa73aa5e824dd94e84fd528c441bc
Instruction Fuzzy Hash: 89F19DB5A00B01CFC725DF24D891A26B3F6FF48314B148A2DE59787A92EB38F815CB55

Function 007D7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007D8263, 007D826B

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: e8bd555daa982e617ae48702c885ecc3c20f611c26631abc46f00d1a7ffcce5a
Instruction ID: 818cbfa09d475b1a3251ef0361af250453b2f294bab4297f9aee76befd955c28
Opcode Fuzzy Hash: e8bd555daa982e617ae48702c885ecc3c20f611c26631abc46f00d1a7ffcce5a
Instruction Fuzzy Hash: FEC1DD71508200ABD721EB14C882A2BB7F5EF95754F48881EF8C59B352E739ED15CBA3

Function 007D8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007D9233, 007D923B

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a896ae39cc45fa67be03542fcf0bd08f9560381b7cbc6ca9dd75c834fd69b09a
Instruction ID: 6fc03b3210c78f3d6426fac534b0004fd4abd1a6794341d06ef8f17e65e25842
Opcode Fuzzy Hash: a896ae39cc45fa67be03542fcf0bd08f9560381b7cbc6ca9dd75c834fd69b09a
Instruction Fuzzy Hash: 3BD1AB70618302DFD744DF68D890A2AB7E5FF89304F09896DE98687391DB39E950CF61

Function 007C4487 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

BI|, xrefs: 007C485E

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: BI|
API String ID: 0-4099361255
Opcode ID: 6b37f03cc1f9f5cd366db309baa5d4c03c0715878f151b0bd722ff8967e5e533
Instruction ID: da08205e80d142bef6317acdee67e56963206347c9715da1576d6559271efc46
Opcode Fuzzy Hash: 6b37f03cc1f9f5cd366db309baa5d4c03c0715878f151b0bd722ff8967e5e533
Instruction Fuzzy Hash: 91E1E0B5501B40CFD325CF28D9A6B97B7E1FF06704F04886DE4AA87652E739B814CB54

Function 007F7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 007F8167

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 648dc675febe7c6014540c9a12cced73a455c8030517ed0901fc6051396d953b
Instruction ID: f90a0fd641742a5a4f1659e13f09dada8c9a943e974bb6b8652fae62ef8d9c4d
Opcode Fuzzy Hash: 648dc675febe7c6014540c9a12cced73a455c8030517ed0901fc6051396d953b
Instruction Fuzzy Hash: 93D1E5729082698FC765CF18D89072EB6E1FB84718F15863CEAA56B380CB79DC05C7C2

Function 007DCCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007DCDC3, 007DCDCB

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 2b343e265d3db5d6db0f0f3c4063db0c4234081e14a3c923a5d09c5aec22c7e8
Instruction ID: 031fb1f2ceea6b8152ef3c180958332eb2a4edd668b0098405a7ec692cc7147d
Opcode Fuzzy Hash: 2b343e265d3db5d6db0f0f3c4063db0c4234081e14a3c923a5d09c5aec22c7e8
Instruction Fuzzy Hash: 60B1F0B16093029BD715DF18D881B2BBBF2EF85340F14492EE5C59B352E339E855CBA2

Function 00A93C49 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

<T{w, xrefs: 00A93FD2

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: <T{w
API String ID: 0-4070988491
Opcode ID: 72798831b23e417b836ba8062607fff6f82b68bf644d444cd42ae047b03e13d4
Instruction ID: aa18c476b073bdf49cb1bb748540d2a52ed6c73e358aa780514dc6ab5976215f
Opcode Fuzzy Hash: 72798831b23e417b836ba8062607fff6f82b68bf644d444cd42ae047b03e13d4
Instruction Fuzzy Hash: 6DB179F36082009FEB145E28EC8077BB7E5EF94720F2A853EE684D7744E6369C058796

Function 007BA850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 007BA9C3

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: f2093affa2b742d3e30ad91321dbeebedf52242a5089a644c9e2f6b6254c1b73
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: CAB138702083819FC321DF18C88075BBBE1AFA9704F448A2DF5D997342D635EA08CB67

Function 007EFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007EFCA4, 007EFCAD

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0a2e914865ca6dc3010042acd597869df949dddf0c3bf9200166ddd2cb8c9e28
Instruction ID: abe582110150f28dbab3b742a07575e1872e5f8a347e62ca8b2f961c24eb1e9e
Opcode Fuzzy Hash: 0a2e914865ca6dc3010042acd597869df949dddf0c3bf9200166ddd2cb8c9e28
Instruction Fuzzy Hash: 1181DE71209345EBD710DF69DC88B2BBBE5FB89741F14882CF68497292D738D814CB62

Function 007CD457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007CD663, 007CD66B

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0b0e3af03d7fefd6919fd4122cfb8ae258947bc8cd74cd70c350a7cd2aeebefa
Instruction ID: a1b3284049840aaf6072033ee6b5f34e180246892cd6260d2e381244ab188dea
Opcode Fuzzy Hash: 0b0e3af03d7fefd6919fd4122cfb8ae258947bc8cd74cd70c350a7cd2aeebefa
Instruction Fuzzy Hash: 7F61CF71908204DBD721AF18EC42B7AB3B0FF95354F08492DF9859B251E779ED10CB92

Function 007F4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007F4C33, 007F4C3B

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0b512bf0288c32985f1a792d2e59369d259e7a4647155e040654dbd8e1170091
Instruction ID: 1cc4488a4c56bf018fab280e217f4ce76d721404cf6cc65dc40c0d2b81758a3b
Opcode Fuzzy Hash: 0b512bf0288c32985f1a792d2e59369d259e7a4647155e040654dbd8e1170091
Instruction Fuzzy Hash: BF61CEB16083099BD711DF29C884B3BBBE6FB84314F18891CE68587392D739EC51DB66

Function 007BE1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 007BE333

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: cbc3358c213a13f7d0d3d15378764e7c6de3d93fc08d7af3f4400617fb738e0a
Instruction ID: 1af06df42d7ae8655270ee88f785652c5b5ec03fa820044137bdb1cee85bf7cc
Opcode Fuzzy Hash: cbc3358c213a13f7d0d3d15378764e7c6de3d93fc08d7af3f4400617fb738e0a
Instruction Fuzzy Hash: CE512323A19A908BD329993C4C553EA7BC71FA2334B3DC769E9F1CB3E1D55D88009390

Function 007F3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007F39E3, 007F39EB

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 96e28a47a4b29ac4324ccb33740e7039373572395c289c03b196e728a09b8f92
Instruction ID: 5c89a420426bf85c876f2aea063acc6a5b8bc746f82ef8aee9aaf46c1e7fddb8
Opcode Fuzzy Hash: 96e28a47a4b29ac4324ccb33740e7039373572395c289c03b196e728a09b8f92
Instruction Fuzzy Hash: 7F518C70609204DBCB24DF1AD884A3ABBE5FB85748F14881CE6D687351D379EE10DB62

Function 00962267 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

)3{, xrefs: 009622C4

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: )3{
API String ID: 0-796897693
Opcode ID: 55430322c3396ac9f73ed3458f4c7156173441e208ed820f5b976491e72a55dd
Instruction ID: ee7b426338c92514cf18f3d44e7c34c23eb1a7862dda2710126c6c4420d59743
Opcode Fuzzy Hash: 55430322c3396ac9f73ed3458f4c7156173441e208ed820f5b976491e72a55dd
Instruction Fuzzy Hash: 63415AF3B092085FF300992EEC94B7BB79BDBD4720F6A8539E644C3744E979990A8152

Function 0090986C Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

AO, xrefs: 009098D4

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: AO
API String ID: 0-3711877640
Opcode ID: fdf6b900b8f2bf16b9bc85862e20eeacd208418109e72d3166043d54d34969a0
Instruction ID: 6b48f5565e5ffbc1258a6af3b3c76bcb4ba03b24089d0e0dbf1672efa9dea50b
Opcode Fuzzy Hash: fdf6b900b8f2bf16b9bc85862e20eeacd208418109e72d3166043d54d34969a0
Instruction Fuzzy Hash: 894134F3A186205BE7185E2DEC85377B6D6DB94320F1A453EEB8893B80DD39080482CA

Function 008737E4 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

a(J,, xrefs: 00873809

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: a(J,
API String ID: 0-2899219278
Opcode ID: e479903eefae2eb0254f46e8884f9447ce355d5c083ba8841aa95d9283c0972d
Instruction ID: c27d67b8df26492569c3e171db025761dd28147789f9ec3f742f77db47662a6b
Opcode Fuzzy Hash: e479903eefae2eb0254f46e8884f9447ce355d5c083ba8841aa95d9283c0972d
Instruction Fuzzy Hash: 1D4128F3B082105BE714AA2DEC4477BB7D79FD4324F2AC63C9A98C7384D93958068296

Function 007C1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 007C1C3E

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 7a3ff02d25e2fbc38ba70ec79594623ec23de94b60f255b3add2eb8f283fe30e
Instruction ID: 9e6eb21c07f648791a975ba0ca35d5b54e44536989b0c47d6afd22596dbd3e74
Opcode Fuzzy Hash: 7a3ff02d25e2fbc38ba70ec79594623ec23de94b60f255b3add2eb8f283fe30e
Instruction Fuzzy Hash: 1D4142B41083809BC7149F25D894A2FBBF0FF86714F44992CF9C69B292D73AC915CB66

Function 007EFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007F0033, 007F003B

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 540eb3547abc07d1dfbf2e724c58e493605ac1930698dd9777eab0fe161a0037
Instruction ID: 06323ce718217125074461037dbb3a4e083edc610b8d374c807b46afb453becd
Opcode Fuzzy Hash: 540eb3547abc07d1dfbf2e724c58e493605ac1930698dd9777eab0fe161a0037
Instruction Fuzzy Hash: A831E5B1504309ABD710EA14DC85B3BB7E8EB85744F544828FA84D7353E639DC14C7A3

Function 007DE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 007DE6A2

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 5c6f0de456d8ff1e7802c51532635221578cffcad09265b2fa0da2a439f0085c
Instruction ID: f91e557b6d566ed05ab2d50c1ea7f10c833135370318834a14d34c40305bd2e1
Opcode Fuzzy Hash: 5c6f0de456d8ff1e7802c51532635221578cffcad09265b2fa0da2a439f0085c
Instruction Fuzzy Hash: EB3107B5900204CFCB61DF95E8846AFFBB4FB0A755F58442DE446AB301D339AD04CBA2

Function 007C6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 007C703B

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 00a6fb773ecfe753e158efca08eaf6ee8c7c6abaf19202d946749ef892b0cc54
Instruction ID: 1ece746d7ec3bf867417a28b4f4f44889947e87583e4563ba126ed123d48d223
Opcode Fuzzy Hash: 00a6fb773ecfe753e158efca08eaf6ee8c7c6abaf19202d946749ef892b0cc54
Instruction Fuzzy Hash: 0E413575204B04DBD7388B65C995F27BBF2FB09701F14881CE9869BAA1E739E840CF20

Function 007DE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 007DE6A2

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 498930db37c1bbc07d084f36e28c8dd6a1992670bf9cbf6a3c8134ec7b6c823e
Instruction ID: 627c61a61469ec6cde340a4f44df0d0f7581f0b6f7011e0c6a0c4a2a563a9dbf
Opcode Fuzzy Hash: 498930db37c1bbc07d084f36e28c8dd6a1992670bf9cbf6a3c8134ec7b6c823e
Instruction Fuzzy Hash: 9221E2B1900204CFCB61DF95D8846AFFBB5FB0A754F58481DE446AB301C339AD00CBA1

Function 007F9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 007F9D30

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 0b79808a4a0a734110f423284a64794f4f6eb081706947615bfee0431c46d7f4
Instruction ID: d1641037a6422b2827991b681bf7806714436ff0b115df0d06f5ea2684cbcf2f
Opcode Fuzzy Hash: 0b79808a4a0a734110f423284a64794f4f6eb081706947615bfee0431c46d7f4
Instruction Fuzzy Hash: 683136706092049BD714EF19D884A2ABBF9EB9A314F24892CE68497351D339D904CBA6

Function 00A1068B Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

R7EO, xrefs: 00A106FB

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID: R7EO
API String ID: 0-168365153
Opcode ID: a8223efd75c57df07bd4323821c5535cc28646a8d43ef1628278ffa90286bb0c
Instruction ID: 153a1419bcdedb16afe920b5b078d01b98899921a1ca86c6ead7d9b1d7aeeb3a
Opcode Fuzzy Hash: a8223efd75c57df07bd4323821c5535cc28646a8d43ef1628278ffa90286bb0c
Instruction Fuzzy Hash: 85219FF251C304AFE305BE29DC826BAFBE5EF58310F16492DE6D5C3650EB31A4408A83

Function 007C4E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5c2ee5096ca02ae956ea5a467c8d49cb18606886310e02f408635a90e39af2
Instruction ID: fe6539d6114a0b58b51e0ee8bcbe75463c931e6762ae1c6b96602021ebed8f06
Opcode Fuzzy Hash: 1b5c2ee5096ca02ae956ea5a467c8d49cb18606886310e02f408635a90e39af2
Instruction Fuzzy Hash: 6B6267B0600B408FD725CF24D994B27B7F6AF49704F58896CD49B8BA52E779F884CB90

Function 007BBEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: faf5b8d2ac025faced91f1feb4941f3f4cf10fbb6aed30ee669ef919673ca897
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: A3520A316087118BC7269F18D8443FAB3E1FFD5319F29CA2DD9C697291E738A851CB86

Function 007F8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37b413f1d303ad251ea6872ee209c713fa457a685f6fef760416f6d46cb44fb
Instruction ID: 90ec443f0192ce9e3d7bb04a8186bfd6818a3d722dac88dec9d3590eeaeff56e
Opcode Fuzzy Hash: f37b413f1d303ad251ea6872ee209c713fa457a685f6fef760416f6d46cb44fb
Instruction Fuzzy Hash: 7922EC75608345DFC744EF68E89062ABBF1FF8A315F09886DE68987361D735E850CB82

Function 007F86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436221a4c536783e912ca879e10e6f27a58f39e52efc98d144b247c0e66f7f19
Instruction ID: bc57967c10a9dde6e0ea8e2adf5e57547e4ab0daa2227a19e796208c78d2149a
Opcode Fuzzy Hash: 436221a4c536783e912ca879e10e6f27a58f39e52efc98d144b247c0e66f7f19
Instruction Fuzzy Hash: 7222DC75608344DFC744EF68E89062ABBF1FF8A305F09896DE68987361D735E850CB82

Function 007BB3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c68ed73581e8b88a575e8f1d729cc6fb916b0e8e756346e9c35a5fead05452c
Instruction ID: 989f775268bc3c47bdc78759d466e21344d961fb75d379be130013044d2af664
Opcode Fuzzy Hash: 2c68ed73581e8b88a575e8f1d729cc6fb916b0e8e756346e9c35a5fead05452c
Instruction Fuzzy Hash: B652C570A08B848FE735CB24C4947E7BBE2AF91314F144C2ED9E646B82D7BDA885C751

Function 007B71F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ccc70765b50f5b65e73bc41899faef3c340cbca8a66df59c51aa354ad714e5
Instruction ID: 49d050aed038f78cee089219d253b3cb07fd45fc95dd5593c447c13709d5d934
Opcode Fuzzy Hash: 67ccc70765b50f5b65e73bc41899faef3c340cbca8a66df59c51aa354ad714e5
Instruction Fuzzy Hash: 5E527E7150C3458BCB19CF29C0907EABBE1BFC8314F198A6DE8995B352D778E949CB81

Function 007B8FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ceca9b32e875beca69cfad36bd2bda7d76fe16b83f23a97162c4c3b63a17489
Instruction ID: 551909cf5327174867c23d317ff54b80e22304e7e8750d4e743327d3be0d7153
Opcode Fuzzy Hash: 4ceca9b32e875beca69cfad36bd2bda7d76fe16b83f23a97162c4c3b63a17489
Instruction Fuzzy Hash: 77428675608341DFD708CF28D8547AABBE1BF88314F09886CE5958B3A1D739D995CF82

Function 007B7BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca70c1b9a3689c51a85ea8f3b5f91b1738caecd674fb8cf6b975540964252a7
Instruction ID: 096607c83a4750ca6c144bc7ff1d7963516828955899f725f19fdc794bf597a8
Opcode Fuzzy Hash: 9ca70c1b9a3689c51a85ea8f3b5f91b1738caecd674fb8cf6b975540964252a7
Instruction Fuzzy Hash: C0324370615B118FC368CF29C5906AABBF1BF85700B604A2ED6A787F90D73AF845CB14

Function 0096FEDA Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e55faf722addf89fcdb7b048bbb92950b3ae3c52011acd91e65987ccaf2e8a
Instruction ID: b5dc5e4c1cd8e81caa12e3c24c9659c8a6a891ed379e70c8d02350c5933af155
Opcode Fuzzy Hash: 15e55faf722addf89fcdb7b048bbb92950b3ae3c52011acd91e65987ccaf2e8a
Instruction Fuzzy Hash: 4FF127F350C2049FE308AE2DEC8577AB7E9EF94320F1A863DE6C587744E93598058697

Function 007F89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ef6b4a7b22b883746067cbc1a5cce03478a3c175ad42c6dccacae39cdf9fad
Instruction ID: d78dbff391f8951f0b546ce366cf37c74c1e0b04823d26bbbd1385d469ccdba4
Opcode Fuzzy Hash: 18ef6b4a7b22b883746067cbc1a5cce03478a3c175ad42c6dccacae39cdf9fad
Instruction Fuzzy Hash: B802BB75608345DFC744EF68E880A2ABBE1FF8A305F09896DE6C987361D735D814CB92

Function 007F8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf38ef107e796f0a442ae5deaae951d7cef22c9eb65af2179d86e770eaa1c783
Instruction ID: 8a2ef6be95bb7a51aede414e06e356c02d4f3693e0b72e1444784ae871570bba
Opcode Fuzzy Hash: cf38ef107e796f0a442ae5deaae951d7cef22c9eb65af2179d86e770eaa1c783
Instruction Fuzzy Hash: D9F18A75608345DFC744EF28D880A2AFBE1BF8A305F09896DE6C987351D736D910CB92

Function 007F8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9140c2ac69d1dd02269db5fceb5830e0d7d82d5a54a3f410f122170e3089c6a0
Instruction ID: 3cf79ebcd8b073a967f808026f29dc04e9e7b45fbdaa0ba80a6887473bee39db
Opcode Fuzzy Hash: 9140c2ac69d1dd02269db5fceb5830e0d7d82d5a54a3f410f122170e3089c6a0
Instruction Fuzzy Hash: F6E1AD71608341DFC744DF28E88062AFBE1FB8A315F09996DE6D987361D736E910CB92

Function 007BA300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 7b1b0c3db5fa4c994a0b140366e9f041fa71a2286c42a696b24add530c05d1f0
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 6BF1CE756083419FD725DF29C8817ABFBE2AFD8300F08882DE4D987752E639E945CB52

Function 007F8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203a590c59355edc76c5b846989be3a7de51cabaaf6bb86fc57d665bb69b9a5a
Instruction ID: 152c140bf12db433ad68775990f3c3d467342f9873f82a67718ef5ff360b3f62
Opcode Fuzzy Hash: 203a590c59355edc76c5b846989be3a7de51cabaaf6bb86fc57d665bb69b9a5a
Instruction Fuzzy Hash: E8D19B7460C245DFD744EF28D880A2AFBE5FB8A305F09896DE6C987351D73AD810CB92

Function 007F6CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5cdb7e360fb8d494677d06b487f691dfcd037cd4c53a8801eb4b69c78b441d
Instruction ID: d42ccad53d913052d908f2fde76bd1d0f496ae41a5a98a06068e462df35aee1d
Opcode Fuzzy Hash: ee5cdb7e360fb8d494677d06b487f691dfcd037cd4c53a8801eb4b69c78b441d
Instruction Fuzzy Hash: B9D1F03661C355CFCB15CF38D88052ABBE6BB8A314F098A6DE995C73A1D334DA44CB91

Function 007F7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c96d98673b6c858a51b0e8366bd2dc34665fe820e4327a9ca3004494589625
Instruction ID: 741807d17027995e68cc14b3fce34ae759f2372a7dbbc4965b5db951f33d6d4a
Opcode Fuzzy Hash: 91c96d98673b6c858a51b0e8366bd2dc34665fe820e4327a9ca3004494589625
Instruction Fuzzy Hash: 79B10572A0C3548BE318DA68CC4577BB7E9ABC5314F48492DEA99D7382E739DC04C792

Function 007BAF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 086c700572771a7c00ca0732286fc99c1a2ac7b7ac2e8ab8fdf493c65752a199
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 6EC177B2A087458FC360CF28DC96BABB7E1FF85318F08492DD5D9C6242E778A155CB46

Function 007C6536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817f317275a88afbcb730eaa92d0670f18e3600eb0288eb4423ba787a1e0cfd7
Instruction ID: 511f823fe2e4d9bc4ecfbb35a9686090205df797880a4d4bfa9605cee9f34ddc
Opcode Fuzzy Hash: 817f317275a88afbcb730eaa92d0670f18e3600eb0288eb4423ba787a1e0cfd7
Instruction Fuzzy Hash: ABB10FB4600B408FD3258F24D985B67BBF2AF46704F14885CE8AA8BB52E779F805CB55

Function 007F7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f27cb281b253c9579ae2626bb45c0430300939e2975d50ee4891436fd025de8
Instruction ID: 35a8e03b9044b3ff8b74aa45d42e7e4206e73d50d54703665b7862257e648262
Opcode Fuzzy Hash: 5f27cb281b253c9579ae2626bb45c0430300939e2975d50ee4891436fd025de8
Instruction Fuzzy Hash: 70918C7160C305ABE728DB18C885B7BBBE6FB85350F54881CF68487352E734E950DBA2

Function 007FA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53174036fe10d2ca2580ef7324b8e0c13f46a51d61d7c770003cf680f804b74
Instruction ID: d0fe2fd927a1d10bd5e74cb5d8488178a8ad9704f81ee599317074f6402a229a
Opcode Fuzzy Hash: a53174036fe10d2ca2580ef7324b8e0c13f46a51d61d7c770003cf680f804b74
Instruction Fuzzy Hash: FE817074208709ABD724DF28D890A3AB7F5FF89750F55892CE68987351E735EC10CB92

Function 007E64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c4988baab331cd3cb30d44f4eec4c7c729c3a20f445f6eb40f5909a53581c6
Instruction ID: f27f084f83a0f71d90da5db5cd1da131bb8eb3dea373ca87e6f31523f3bcffae
Opcode Fuzzy Hash: 60c4988baab331cd3cb30d44f4eec4c7c729c3a20f445f6eb40f5909a53581c6
Instruction Fuzzy Hash: B171E733B2AAD04BC3149D7D4C463A5AA534BEA374B3DC379A9B4CB3E5D52D8C064350

Function 007D28E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252b7e53f397745944b940a688da3ac59620cdb73b929b177249f444ab425081
Instruction ID: 0e8bb8205dfd53bc61179f4e13f85dca8405ac07320133d70e118a63fea2e1c4
Opcode Fuzzy Hash: 252b7e53f397745944b940a688da3ac59620cdb73b929b177249f444ab425081
Instruction Fuzzy Hash: ED6178B4408340DBD311AF14D851A2ABBF1FFA6760F18891DF5C59B362E33AD912CB66

Function 007D7C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77528d48522ec1022e42a5a8dd9462e88cf9abfa3371655ed990ff5b69ad95c
Instruction ID: 13e51bac51383e40cb631400a3bed765d0d870925629aaddef1abcce15fc05d6
Opcode Fuzzy Hash: c77528d48522ec1022e42a5a8dd9462e88cf9abfa3371655ed990ff5b69ad95c
Instruction Fuzzy Hash: E651BFB1718204ABDB249B24CC86BB733B9EF85764F148959F9898B391F379DC01C761

Function 007E1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 94ab186961c100d62b178306d749eb30188d463603c162593cd499e03f207b96
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: C661D13160A3819BD714CE2EC58172FBBE2ABCD350FA5C93DE4998B352D278ED819741

Function 00A5D4C0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c897b93b1086c1bd06763bf23ca7a9b1d92bc664c2d72415d0e3c4fc45dd779b
Instruction ID: c2f00afcdd21c05993a25c816bc9f208da2d748feed0227443ac8270e0071ac7
Opcode Fuzzy Hash: c897b93b1086c1bd06763bf23ca7a9b1d92bc664c2d72415d0e3c4fc45dd779b
Instruction Fuzzy Hash: DB61A3F250C300AFE715BE69DC41ABEF7F5FB98321F12882DE6D5C2600E63548448A67

Function 007E82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fad25f98a30100d0eecdc0088a29991bd64a13b298ed4ecb5bbb094be89e84
Instruction ID: aceb3efd0663ccc00f03311af26235cc52068b4cd9f3989ea9ff6999b74f8993
Opcode Fuzzy Hash: b0fad25f98a30100d0eecdc0088a29991bd64a13b298ed4ecb5bbb094be89e84
Instruction Fuzzy Hash: C6615923A1F9D18BC355493E5C453AA6A835BDA730F3EC36698B98B3E4CD6D48018343

Function 007C42FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a31f2204d5b8975295d1e4b8dc705128bb75db072814f3d02c6712d1108192
Instruction ID: 1a44742cd44858ab13263409cdcaf7cd0a67a99eb7725f5f84dbdd1ff1d910d4
Opcode Fuzzy Hash: 38a31f2204d5b8975295d1e4b8dc705128bb75db072814f3d02c6712d1108192
Instruction Fuzzy Hash: B681D0B4810B00AFD360EF39D947797BEF4AB06301F404A2DE4EA96695E7346459CBE2

Function 007EE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: b7411fdac2875e5f8bb678d923f7c89c731c1979fd6d3f4f9a2a025c2977483f
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 44517DB16097548FE314DF69D49436BBBE1BBC9318F044E2DE4E983351E379DA088B82

Function 0082A494 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5763b20c5c8b3c048da8e02a09cfac4fa616d4746e021a817cc5e52ab94e4f16
Instruction ID: ca6a80aeae53028363cc264f8314360803031232dc9333897e8570a9cb59e13b
Opcode Fuzzy Hash: 5763b20c5c8b3c048da8e02a09cfac4fa616d4746e021a817cc5e52ab94e4f16
Instruction Fuzzy Hash: 735124F3E082140BF3046A3EDC48766B7DADBD4320F1B863DDA88D7784E97958068295

Function 007F7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f935da651896d4887d3995a0d6f4c455ba1b2cb5d30b4d36ab385c5444b127c
Instruction ID: e902da25e46f3ea826620a06ffcec50894581a89168b7e1892abcb45cfb0f23d
Opcode Fuzzy Hash: 5f935da651896d4887d3995a0d6f4c455ba1b2cb5d30b4d36ab385c5444b127c
Instruction Fuzzy Hash: EE51E63160C2049BC7199E18DC90B3EB7E6FB85755F288A2CE6D597391D735AC10CB61

Function 007B5A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95de74c10268b55bcad1aba5a1990f0627eaa5a8d894d54cf71817447b8a999d
Instruction ID: 2905673be0f086f2ec2590d9abb4aebdf96702e8d856fab189db3e52d240d57b
Opcode Fuzzy Hash: 95de74c10268b55bcad1aba5a1990f0627eaa5a8d894d54cf71817447b8a999d
Instruction Fuzzy Hash: ED51F3B1A047059FC715DF14C890B6BBBA1FF85324F19866CF8999B352DA34EC42CB92

Function 007DEC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a19a4871c5f78f4d17ff5103f7e43c0c10400798bc9090b0f876592fc266a2c
Instruction ID: e6384e574c3d640fe374f7337176b6bdf038ec5398f725e76edd796e837a23fe
Opcode Fuzzy Hash: 9a19a4871c5f78f4d17ff5103f7e43c0c10400798bc9090b0f876592fc266a2c
Instruction Fuzzy Hash: B841CE78A00319DBDF219F94DC91BADB7B1FF0A300F044549E945AF3A1EB38A950CBA1

Function 007F9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668b0bae4ebba0e41f5fd9f0f0e1414ab205987f323185b4c05a8aea2c9536bb
Instruction ID: 88cc784968c42b233ad6c93f905032cb18d1868489058733e45a739910babd5f
Opcode Fuzzy Hash: 668b0bae4ebba0e41f5fd9f0f0e1414ab205987f323185b4c05a8aea2c9536bb
Instruction Fuzzy Hash: 98418D74608348ABD710DF29D990B3BBBE6EB85714F64882CF78997351D339E800DB66

Function 007C2030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14af8be4b0681be81a851caa48965389a58870a5da24b0c5ad110f986176ff3
Instruction ID: b60ae67bf9d5e4b05bb6b0dc1ff5e34e4e5eab655d9f77ec6f1d602f1d79326d
Opcode Fuzzy Hash: a14af8be4b0681be81a851caa48965389a58870a5da24b0c5ad110f986176ff3
Instruction Fuzzy Hash: DB41E772A083654FD35DCE29849473ABBE2AFC5300F09C66EE4E6873D1DA788945D781

Function 007C1E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47191d2228e274e5435731bc02d1f34a09280b73377945bed5522d16a0953a8b
Instruction ID: d23b925a0262b1b00d571afb9ec5ec55d68d5a7336c3d7b3e6e1ac84575eb003
Opcode Fuzzy Hash: 47191d2228e274e5435731bc02d1f34a09280b73377945bed5522d16a0953a8b
Instruction Fuzzy Hash: 4441EE74508380ABD320AB58C888F2EFBF5FB86745F14491CF6C497292C37AE815CB66

Function 00A1B264 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7509d2967034558d059d88222ca2e2e7fb9bc678a1ff00df2918a7c005d4f8b2
Instruction ID: 5f66336c12b19831aff91a774b7b1b2435b611b27f6608aed3bb991b3563a6ae
Opcode Fuzzy Hash: 7509d2967034558d059d88222ca2e2e7fb9bc678a1ff00df2918a7c005d4f8b2
Instruction Fuzzy Hash: 0B4105F290C200DFE701AE28DC81369B7F5EFA8310F19852D9AD587348E33659699763

Function 007F8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a89fb3a5d915253ffd3bf0a02d8f4dcac766d4d2e09226e10bb1e0344c901e
Instruction ID: b84c4caa8e50a6a12422b605d7ae8b9a295c23070ae55da2d8ab4846c366f5dc
Opcode Fuzzy Hash: 08a89fb3a5d915253ffd3bf0a02d8f4dcac766d4d2e09226e10bb1e0344c901e
Instruction Fuzzy Hash: FB41C0316082548FC744DF68C49053EFBE6AF99300F098A5DD5D9D7392DB78DD018B92

Function 007CD961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7d47d4fb84279d6e736dee883b4255fa87b6286ee02596a4bcbe22af74e285
Instruction ID: 1b30473419b8351d90009dc6ad46b8c2e76762f0124f3d257a73bcca6e4b6d94
Opcode Fuzzy Hash: 8b7d47d4fb84279d6e736dee883b4255fa87b6286ee02596a4bcbe22af74e285
Instruction Fuzzy Hash: 274199B5508381CBD3309F10C885BAFB7B0FF96364F04496DE48A8B651E7784840CB5B

Function 007EF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: c047cc07cf859d681f1d7e85aecd0323e61f5210675a8117a22af47adb0329d7
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: FA2107329092644BC7249B5AC48163BF7E4EB9D704F16863ED9C4A7296E339DC1487E1

Function 007F67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee31b035da942054ed69af3b19958475c9af2937baf82bec68669f614120e75f
Instruction ID: 2bfdbde19dabe19077c3ea5a11703a1fec0a5d81c8a7c1fc22b201e62a72f564
Opcode Fuzzy Hash: ee31b035da942054ed69af3b19958475c9af2937baf82bec68669f614120e75f
Instruction Fuzzy Hash: 9B3102705183829AD714CF14C49062FBBF0EF96784F54580DF4C8AB262E338D985CB9A

Function 007D5E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e661df39ca493607e53bb9cabae3fb26fdbb94235a4dfac18d28fbd15e7e909
Instruction ID: 415ceaf11c8b80edb9ad84baf459d86d9e5426bf17e17615e59423f84fcd364e
Opcode Fuzzy Hash: 6e661df39ca493607e53bb9cabae3fb26fdbb94235a4dfac18d28fbd15e7e909
Instruction Fuzzy Hash: 5221AE70508201DBD310AF28C845A6BBBF4EF92765F448909F4D99B392E338DA00CBA3

Function 007B49A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: e8b1d44703c268649c05b5d7928c91a8966bc8378f42f158539622d49438b8a4
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 1F31EA316482009BD7149E28D884BABB7E1EF84358F18C92CE89AD7343D239EC42CB46

Function 007F64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fde37b2e9ce6c34e079e622911a6687ab4f0ae39b803515ac86df0e8de2d9c
Instruction ID: 40fa56a29fac4aa659b171e229058edd7775f9b3fc1cace4d773b6bd708c8949
Opcode Fuzzy Hash: 00fde37b2e9ce6c34e079e622911a6687ab4f0ae39b803515ac86df0e8de2d9c
Instruction Fuzzy Hash: CF21257460C285DBC709EF19D580A3EFBE6FB95745F28881CE5C493361C339A854DB62

Function 007C0EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a42abb96d80cf4edb06bb6320d05dce3dae480a843db409109bde7c629ab94
Instruction ID: 07f7876520f1a6058d0058d49bef167006bb2af58691382b2d72be78daf2e426
Opcode Fuzzy Hash: 18a42abb96d80cf4edb06bb6320d05dce3dae480a843db409109bde7c629ab94
Instruction Fuzzy Hash: B321E5B490021ADBDB15CF94CC90FBEBBB1FB4A304F14485DE911AB292C735A951CBA4

Function 007EB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 60e6bd2a4bc60173857b2a988d3c913e16833945c538fc7a4f3765e6ae7ee2f5
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 66110833A061E90EC7168D3D8440566BFE31AE7234F5D83D9F4B89B2D2D7278D8A8364

Function 007E0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: 07002d02f7bec1f10ea64fe754e25615fbbf4ee005048de26f7134d2d69a27c0
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 190175F5A0234187E7219E5698D5B3BB2A8BF48718F18852CE4065B201DBB9EC45C6E1

Function 007DD1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6dc083f1da09fecc2b295b1bfb91ed402c7cbbe557ae26dce03dc67750e0b7
Instruction ID: 72a9699b0e4b65187fdeb02a469d13567f135e025c5e0e472e876cf16079b35c
Opcode Fuzzy Hash: 9a6dc083f1da09fecc2b295b1bfb91ed402c7cbbe557ae26dce03dc67750e0b7
Instruction Fuzzy Hash: 0D11DBB0408380EFD3209F618488A2FFBF5ABA6714F148C0DF6A49B251C379E819CB56

Function 007B6EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111358bf4dc733e52579d309071c6edb4a6fad751195a144e5c3948aa66d9800
Instruction ID: e24943dde02d47e8f2c010cb3dc8cc1800f1d6d99cffd9a330400512e3bf48d8
Opcode Fuzzy Hash: 111358bf4dc733e52579d309071c6edb4a6fad751195a144e5c3948aa66d9800
Instruction Fuzzy Hash: C1F0593E71820A0FA210DDAAE8C097BF3D6D7C9354B055538EF40C3201CD7AE802C2E4

Function 007EB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 007CC5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 007CB410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 443f6447547ff8819564d538c4f94c7ef88ce7aa4203c99107836307e39c5a9a
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 49F0ECB160C95057DF268A549CC1F37BB9CCB87354F19042EFC4557103E2655949C3E5

Function 007E8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a178822e877c418e68f717a978b8a5ebe7ef10de02fe9220c354f447a4c1958
Instruction ID: 56f77257129fc8094a53720735ed6e119190bfd095888a7835ee6405b4f15f6a
Opcode Fuzzy Hash: 5a178822e877c418e68f717a978b8a5ebe7ef10de02fe9220c354f447a4c1958
Instruction Fuzzy Hash: 3901E4B04107009FC360EF29C545757BBE8EB08714F008A1DE8AECB780D774A544CF92

Function 007F1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: ef817cea560f2d416d463a8d7970e06d2811e689841f067ad7f9f627ae2dc813
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 42D0A771608361C69F748E19A410977F7F0EAC7B11F89955EFA86E3248D234DC41C2A9

Function 007C1ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c337dac16a9e5f03370859e932a5527f53f1efa3991679355d1cd68e6c85ae
Instruction ID: e59fcd03d19bf3dcafbd5d3f7604cfc28d46cc322850c022f7e03f95bbbb49ad
Opcode Fuzzy Hash: b6c337dac16a9e5f03370859e932a5527f53f1efa3991679355d1cd68e6c85ae
Instruction Fuzzy Hash: 78C01234A590408BC244DF00A895A36A3B8AB07308740B03EDA02E3222CA28C402E90D

Function 007F6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b6f5826411b8fd5d824516cb7cf2f480638d008003382c55ba745c5d89f2b4
Instruction ID: 01b4e6dd78bababc3d37e23a2083a984d8c06470dbca5ca5a8aa5c981641e3cc
Opcode Fuzzy Hash: 91b6f5826411b8fd5d824516cb7cf2f480638d008003382c55ba745c5d89f2b4
Instruction Fuzzy Hash: 0DC09239A6D00487E28CCF09E961975F7BEAB9BB2CB24B05EC90623396C138D513991C

Function 007C1A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b0bc05afc0cb8a583c5a2ef6f97973ec82c222670391e8633e5274cbba1726
Instruction ID: fc5edb1e257e44e52fee673df5b7d1a9fac15b5916ebf886e6863066e168652b
Opcode Fuzzy Hash: f7b0bc05afc0cb8a583c5a2ef6f97973ec82c222670391e8633e5274cbba1726
Instruction Fuzzy Hash: 28C04C24A590808AC244DE85A8D1531A3A85707208750B03EDA02E7262C964D405D50D

Function 007F5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308852984.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1308818766.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000810000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000989000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000A93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1308914895.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309296176.0000000000AB0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309463643.0000000000C49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1309491968.0000000000C4A000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a93be9ce69312ae13dfb81299f7f72ae5d235bc949c9ed293999d13ade3d54
Instruction ID: 56c9b184cb0eb0827818ef0438e058b6eead071d7970bdd445822475115d63db
Opcode Fuzzy Hash: 59a93be9ce69312ae13dfb81299f7f72ae5d235bc949c9ed293999d13ade3d54
Instruction Fuzzy Hash: 34C09225B690008BE28CCF19DD61A35F6BEAB8BA2CB14B02DC806A3256D134D512860C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 007F50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 007BFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 007BD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 007F5700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 007F5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 007F695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 007C049B Relevance: .3, Instructions: 264
COMMON

Function 007F3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 007F3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON