Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528226
MD5:	6143162264c50290f1925ce5713b921a
SHA1:	949da180ccf993c11c9e104f38402d891526d9ae
SHA256:	d6d5c6f5f79e371a818ecb16931b1f73461c4585479d794c7c4146d7a55dc069
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 4892 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6143162264C50290F1925CE5713B921A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["studennotediw.stor", "bathdoomgaz.stor", "dissapoiznw.stor", "spirittunek.stor", "eaglepawnoy.stor", "clearancek.site", "mobbipenju.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.379683+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.6	62421	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.311288+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.6	55376	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.348964+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.6	63231	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.336143+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.6	59002	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.407319+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.6	58058	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.323636+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.6	50427	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.394592+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.6	64231	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T17:08:22.366127+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.6	63272	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.4892.1.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["studennotediw.stor", "bathdoomgaz.stor", "dissapoiznw.stor", "spirittunek.stor", "eaglepawnoy.stor", "clearancek.site", "mobbipenju.stor", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D650FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D2D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D2D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_00D663B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_00D699D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	1_2_00D6695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_00D2FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_00D30EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D66094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00D64040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	1_2_00D21000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	1_2_00D5F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00D36F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00D4D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D342FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00D42260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	1_2_00D42260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	1_2_00D2A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_00D664B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D3D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_00D61440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00D4C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	1_2_00D3B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	1_2_00D28590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D49510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D36536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	1_2_00D67520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00D5B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_00D667EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	1_2_00D67710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D65700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00D428E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	1_2_00D249A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	1_2_00D3D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	1_2_00D63920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D31ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	1_2_00D25A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00D64A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D31A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00D33BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00D31BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00D50B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_00D69B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D69CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	1_2_00D69CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D4AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_00D4AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	1_2_00D4EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	1_2_00D47C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	1_2_00D5FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D68D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	1_2_00D4FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_00D4DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00D31E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	1_2_00D2BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	1_2_00D36EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00D26EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	1_2_00D4AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D45E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00D47E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	1_2_00D34E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D65FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00D28FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	1_2_00D3FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00D36F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00D5FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00D49F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:50427 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:55376 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:59002 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:63231 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:64231 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:62421 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:58058 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:63272 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: licendfilteo.site

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000001.00000003.2301846274.0000000001461000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303959573.0000000001462000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301661776.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ htt equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7cdaee4fd9ae6b2071faa6aa; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 15:08:23 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlG equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ps://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/I
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000001.00000003.2300513851.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49733 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D30228	1_2_00D30228
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D6A0D0	1_2_00D6A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D64040	1_2_00D64040
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D21000	1_2_00D21000
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D32030	1_2_00D32030
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D271F0	1_2_00D271F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D	1_2_00E1B18D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2E1A0	1_2_00D2E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B	1_2_00EF714B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D25160	1_2_00D25160
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DDA10B	1_2_00DDA10B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D582D0	1_2_00D582D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D512D0	1_2_00D512D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D212F7	1_2_00D212F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EEE2A2	1_2_00EEE2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFD22F	1_2_00EFD22F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D523E0	1_2_00D523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D213A3	1_2_00D213A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2B3A0	1_2_00D2B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF3391	1_2_00EF3391
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00ED0326	1_2_00ED0326
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2A300	1_2_00D2A300
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF833B	1_2_00EF833B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D564F0	1_2_00D564F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3049B	1_2_00D3049B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D34487	1_2_00D34487
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4C470	1_2_00D4C470
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3C5F0	1_2_00D3C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D28590	1_2_00D28590
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D235B0	1_2_00D235B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E27531	1_2_00E27531
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D686F0	1_2_00D686F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68652	1_2_00D68652
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2164F	1_2_00D2164F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5F620	1_2_00D5F620
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F007DA	1_2_00F007DA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5B8C0	1_2_00D5B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D5E8A0	1_2_00D5E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2A850	1_2_00D2A850
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFB865	1_2_00EFB865
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D51860	1_2_00D51860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4098B	1_2_00D4098B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D689A0	1_2_00D689A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F6B91D	1_2_00F6B91D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68A80	1_2_00D68A80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D67AB0	1_2_00D67AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D64A40	1_2_00D64A40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE9A49	1_2_00EE9A49
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D27BF0	1_2_00D27BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D3DB6F	1_2_00D3DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4CCD0	1_2_00D4CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F8BCAC	1_2_00F8BCAC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D66CBF	1_2_00D66CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFEC65	1_2_00EFEC65
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68C02	1_2_00D68C02
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E98C03	1_2_00E98C03
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EEFD72	1_2_00EEFD72
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D48D62	1_2_00D48D62
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4FD10	1_2_00D4FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4DD29	1_2_00D4DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2BEB0	1_2_00D2BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D36EBF	1_2_00D36EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D4AE57	1_2_00D4AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D68E70	1_2_00D68E70
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D34E2A	1_2_00D34E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D28FD0	1_2_00D28FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D67FC0	1_2_00D67FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D2AF10	1_2_00D2AF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D3D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D2CAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994649855610561
Source: file.exe	Static PE information: Section: cbcphhfl ZLIB complexity 0.9938742351062192

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00D58220 CoCreateInstance,

1_2_00D58220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1832960 > 1048576

Source: file.exe

Static PE information: Raw size of cbcphhfl is bigger than: 0x100000 < 0x196000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.d20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cbcphhfl:EW;zbkgdmce:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cbcphhfl:EW;zbkgdmce:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1c2002 should be: 0x1ceee6

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: cbcphhfl
Source: file.exe	Static PE information: section name: zbkgdmce
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FC70F9 push edx; mov dword ptr [esp], ebx	1_2_00FC711C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F650E6 push 1E6F9DA3h; mov dword ptr [esp], eax	1_2_00F65007
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FBF0BC push eax; mov dword ptr [esp], esi	1_2_00FBF20D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FBF0BC push ebx; mov dword ptr [esp], ecx	1_2_00FBF211
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1C080 push eax; mov dword ptr [esp], ecx	1_2_00F1C0BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1C080 push 17518A61h; mov dword ptr [esp], edx	1_2_00F1C0DE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1B08C push ebp; mov dword ptr [esp], edx	1_2_00F1B01A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1B08C push 7F3A5093h; mov dword ptr [esp], eax	1_2_00F1B0BC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push 34C7DC77h; mov dword ptr [esp], edi	1_2_00F2805A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push ebp; mov dword ptr [esp], esi	1_2_00F2809E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push edx; mov dword ptr [esp], edi	1_2_00F280BB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push edx; mov dword ptr [esp], esi	1_2_00F280E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F28052 push 6591B56Dh; mov dword ptr [esp], edx	1_2_00F28100
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push ebp; mov dword ptr [esp], 59FF29AAh	1_2_011BA1B7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push eax; mov dword ptr [esp], 2F37F803h	1_2_011BA1C9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push 19A94B32h; mov dword ptr [esp], ecx	1_2_011BA273
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_011BA1A0 push edx; mov dword ptr [esp], ecx	1_2_011BA2D4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F8F01D push edi; mov dword ptr [esp], eax	1_2_00F8F1E3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FC000E push eax; mov dword ptr [esp], ebx	1_2_00FC0032
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push 53951845h; mov dword ptr [esp], ebp	1_2_00FAB234
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push ebx; mov dword ptr [esp], 4E54FDE6h	1_2_00FAB2AA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00FAB1DD push 113215CEh; mov dword ptr [esp], esp	1_2_00FAB2CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push eax; mov dword ptr [esp], ebp	1_2_00E1B1A4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 1B5EAE3Fh; mov dword ptr [esp], esp	1_2_00E1B1AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 6432BD90h; mov dword ptr [esp], esi	1_2_00E1B212
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 6A0B9914h; mov dword ptr [esp], edi	1_2_00E1B22D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push 09F99E72h; mov dword ptr [esp], ebx	1_2_00E1B2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push eax; mov dword ptr [esp], esi	1_2_00E1B302
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1B18D push ebp; mov dword ptr [esp], ecx	1_2_00E1B366
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B push 259C4982h; mov dword ptr [esp], eax	1_2_00EF7165
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EF714B push ebp; mov dword ptr [esp], edx	1_2_00EF716F

Source: file.exe	Static PE information: section name: entropy: 7.982307743980005
Source: file.exe	Static PE information: section name: cbcphhfl entropy: 7.954080802016992

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8426B second address: D83A9D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F310118DD76h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F310118DD85h 0x00000012 nop 0x00000013 cld 0x00000014 push dword ptr [ebp+122D0AD5h] 0x0000001a mov dword ptr [ebp+122D1B63h], eax 0x00000020 call dword ptr [ebp+122D1E03h] 0x00000026 pushad 0x00000027 stc 0x00000028 xor eax, eax 0x0000002a mov dword ptr [ebp+122D2A26h], eax 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 mov dword ptr [ebp+122D2D9Dh], esi 0x0000003a mov dword ptr [ebp+122D3928h], eax 0x00000040 or dword ptr [ebp+122D2D9Dh], edx 0x00000046 mov esi, 0000003Ch 0x0000004b clc 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 pushad 0x00000051 or dword ptr [ebp+122D2B97h], edi 0x00000057 pushad 0x00000058 mov eax, dword ptr [ebp+122D38ACh] 0x0000005e push ebx 0x0000005f pop esi 0x00000060 popad 0x00000061 popad 0x00000062 lodsw 0x00000064 stc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 mov dword ptr [ebp+122D2A26h], ecx 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 jc 00007F310118DD7Ch 0x00000079 mov dword ptr [ebp+122D2D9Dh], edx 0x0000007f nop 0x00000080 push eax 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05E54 second address: F05E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05E58 second address: F05E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F310118DD82h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFE797 second address: EFE7AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Dh 0x00000007 ja 00007F31011E0E46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05074 second address: F050B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F310118DD76h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F310118DD87h 0x00000017 jmp 00007F310118DD86h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0520D second address: F05211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05211 second address: F05215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0536F second address: F05373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05373 second address: F05379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F054EA second address: F054F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jno 00007F31011E0E46h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0579C second address: F057BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F310118DD89h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07388 second address: F0738C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0738C second address: F073E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F310118DD85h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 jns 00007F310118DD78h 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 js 00007F310118DD80h 0x00000026 pop eax 0x00000027 jg 00007F310118DD77h 0x0000002d cmc 0x0000002e lea ebx, dword ptr [ebp+12456FF2h] 0x00000034 movzx esi, si 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F073E3 second address: F073E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07476 second address: F0747D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0747D second address: F07483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07483 second address: F07487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F07487 second address: F0748B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0748B second address: F074FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 043A0E06h 0x0000000f push 00000003h 0x00000011 call 00007F310118DD88h 0x00000016 jo 00007F310118DD7Bh 0x0000001c adc si, EC8Ah 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F310118DD78h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e push 00000003h 0x00000040 jc 00007F310118DD82h 0x00000046 ja 00007F310118DD7Ch 0x0000004c push E806B644h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push edi 0x00000056 pop edi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F074FF second address: F07505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28B17 second address: F28B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F310118DD90h 0x0000000e js 00007F310118DD78h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF490A second address: EF490E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF490E second address: EF4918 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F310118DD76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4918 second address: EF4924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F269E6 second address: F269FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F269FB second address: F26A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26A00 second address: F26A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Fh 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26A17 second address: F26A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B67 second address: F26B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B6D second address: F26B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E4Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B7D second address: F26BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F310118DD86h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26BA1 second address: F26BBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E57h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26BBC second address: F26BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26D38 second address: F26D48 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F31011E0E48h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27403 second address: F27416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F310118DD76h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27416 second address: F2742B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2742B second address: F27431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27431 second address: F2744D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E4Ch 0x00000008 ja 00007F31011E0E52h 0x0000000e ja 00007F31011E0E46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2758A second address: F27590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2784C second address: F27860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E50h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEDD83 second address: EEDD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F285F8 second address: F285FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F285FE second address: F28602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28602 second address: F28623 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F31011E0E59h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B548 second address: F2B573 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD88h 0x00000008 jmp 00007F310118DD82h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F310118DD7Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B573 second address: F2B579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B579 second address: F2B57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BDE0 second address: F2BDEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CFA4 second address: F2CFB2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2DFA5 second address: F2DFE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Eh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F31011E0E4Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F31011E0E51h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F5B7 second address: F2F5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F310118DD88h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2F5D3 second address: F2F5DD instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1379 second address: EF1383 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F310118DD76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BBE second address: F30BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F31011E0E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BC9 second address: F30BD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F310118DD76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F30BD3 second address: F30BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF98FD second address: EF9906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF9906 second address: EF990A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3512F second address: F35135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35135 second address: F35139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35139 second address: F3513D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3513D second address: F3515F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F31011E0E51h 0x0000000e jbe 00007F31011E0E46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F352AB second address: F352C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F352C0 second address: F352CC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E4Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3874B second address: F38755 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38755 second address: F3875B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38BEC second address: F38BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38BF0 second address: F38C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E59h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F393B4 second address: F393BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3985B second address: F39861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39861 second address: F39872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F310118DD7Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39872 second address: F39876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39F86 second address: F39F8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39F8C second address: F39F92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9C7 second address: F3A9D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F310118DD76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9D9 second address: F3A9DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A9DF second address: F3A9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BB88 second address: F3BBDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F31011E0E48h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a jmp 00007F31011E0E59h 0x0000002f push eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BBDD second address: F3BBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C589 second address: F3C60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F31011E0E4Bh 0x0000000c nop 0x0000000d jno 00007F31011E0E4Ch 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F31011E0E48h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f or edi, dword ptr [ebp+122D39E4h] 0x00000035 xor dword ptr [ebp+124790A5h], esi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F31011E0E48h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+122D1D24h], ebx 0x0000005d jo 00007F31011E0E4Ch 0x00000063 or esi, dword ptr [ebp+122D2A3Eh] 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d push esi 0x0000006e pop esi 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3C60E second address: F3C626 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F310118DD7Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3D13F second address: F3D155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E5E3 second address: F3E659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F310118DD89h 0x00000012 push 00000000h 0x00000014 call 00007F310118DD85h 0x00000019 mov esi, edi 0x0000001b pop esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F310118DD78h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F310118DD7Ch 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E659 second address: F3E65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA77 second address: F3FA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA86 second address: F3FA8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FA8C second address: F3FA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42DC5 second address: F42E25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b mov bx, di 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F31011E0E48h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a cmc 0x0000002b mov edi, 55389E7Bh 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D20FDh], ebx 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F31011E0E57h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42178 second address: F42191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F310118DD76h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jl 00007F310118DD76h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4306E second address: F43078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F31011E0E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F48F8F second address: F48F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4802C second address: F48045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnp 00007F31011E0E46h 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jng 00007F31011E0E4Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491AF second address: F491B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491B4 second address: F491C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F491C4 second address: F491C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DD45 second address: F4DD49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF51 second address: F4AF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DF26 second address: F4DF2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF57 second address: F4AF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DF2C second address: F4DF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4FF4F second address: F4FF54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF5C second address: F4AF62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F51015 second address: F51019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF62 second address: F4AF66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AF66 second address: F4AF86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCDB second address: EFCCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCE4 second address: EFCCE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCE8 second address: EFCCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCEE second address: EFCCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCF4 second address: EFCCF9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFCCF9 second address: EFCD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 pop edx 0x0000000a push edi 0x0000000b jmp 00007F310118DD7Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F588AA second address: F588B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F58A97 second address: F58A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F58D4B second address: F58D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F31011E0E4Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F31011E0E46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E53A second address: F5E570 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F310118DD78h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 je 00007F310118DD95h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F310118DD87h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E570 second address: F5E597 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F31011E0E56h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E597 second address: F5E5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F310118DD76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E71C second address: F5E720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF2EA4 second address: EF2EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F310118DD8Bh 0x0000000b jmp 00007F310118DD82h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF2EDA second address: EF2EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62EB3 second address: F62ED4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F310118DD88h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F310118DD80h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62ED4 second address: F62ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62ED8 second address: F62EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63417 second address: F6341B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6341B second address: F6343B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD82h 0x00000007 jns 00007F310118DD76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6343B second address: F63445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F31011E0E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63445 second address: F6344F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6344F second address: F63472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E52h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c js 00007F31011E0E62h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63472 second address: F63476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F63A38 second address: F63A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E52h 0x00000009 je 00007F31011E0E46h 0x0000000f popad 0x00000010 jmp 00007F31011E0E52h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F31011E0E52h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65C76 second address: F65C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65C7C second address: F65C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6493 second address: EF6497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6497 second address: EF64A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F31011E0E52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF64A5 second address: EF64AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E09 second address: F69E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jng 00007F31011E0E46h 0x00000011 jmp 00007F31011E0E58h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69E34 second address: F69E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A121 second address: F6A127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A426 second address: F6A42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A58E second address: F6A5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F31011E0E56h 0x0000000d popad 0x0000000e je 00007F31011E0E4Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A71A second address: F6A738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F310118DD82h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A738 second address: F6A73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AB6A second address: F6AB7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ACAE second address: F6ACC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F31011E0E4Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6ACC4 second address: F6ACEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push edi 0x00000009 jmp 00007F310118DD87h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F310118DD76h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E493 second address: F1E497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E497 second address: F1E4C2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD76h 0x00000008 je 00007F310118DD76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F310118DD82h 0x00000015 push ebx 0x00000016 ja 00007F310118DD76h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF863 second address: EEF888 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F31011E0E57h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF888 second address: EEF88D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3716E second address: F37174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3770A second address: D83A9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+1245214Ch], ebx 0x0000000e push dword ptr [ebp+122D0AD5h] 0x00000014 mov dword ptr [ebp+122D5981h], edx 0x0000001a call dword ptr [ebp+122D1E03h] 0x00000020 pushad 0x00000021 stc 0x00000022 xor eax, eax 0x00000024 mov dword ptr [ebp+122D2A26h], eax 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e mov dword ptr [ebp+122D2D9Dh], esi 0x00000034 mov dword ptr [ebp+122D3928h], eax 0x0000003a or dword ptr [ebp+122D2D9Dh], edx 0x00000040 mov esi, 0000003Ch 0x00000045 clc 0x00000046 add esi, dword ptr [esp+24h] 0x0000004a pushad 0x0000004b or dword ptr [ebp+122D2B97h], edi 0x00000051 pushad 0x00000052 mov eax, dword ptr [ebp+122D38ACh] 0x00000058 push ebx 0x00000059 pop esi 0x0000005a popad 0x0000005b popad 0x0000005c lodsw 0x0000005e stc 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 mov dword ptr [ebp+122D2A26h], ecx 0x00000069 mov ebx, dword ptr [esp+24h] 0x0000006d jc 00007F310118DD7Ch 0x00000073 mov dword ptr [ebp+122D2D9Dh], edx 0x00000079 nop 0x0000007a push eax 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37860 second address: F3786A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3786A second address: F3786E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37961 second address: F37965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37965 second address: F3796B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3796B second address: F37970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37BEB second address: F37BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37BF0 second address: F37C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E53h 0x0000000f push ecx 0x00000010 jnl 00007F31011E0E46h 0x00000016 pop ecx 0x00000017 popad 0x00000018 nop 0x00000019 mov dh, cl 0x0000001b push 00000004h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F31011E0E48h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 mov edx, dword ptr [ebp+122D38A4h] 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37C45 second address: F37C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3842D second address: F38437 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38437 second address: F384E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, 20BB5D96h 0x0000000e lea eax, dword ptr [ebp+1248703Ah] 0x00000014 or edi, 3769B924h 0x0000001a nop 0x0000001b jno 00007F310118DD80h 0x00000021 push eax 0x00000022 pushad 0x00000023 js 00007F310118DD78h 0x00000029 push edx 0x0000002a pop edx 0x0000002b jo 00007F310118DD83h 0x00000031 jmp 00007F310118DD7Dh 0x00000036 popad 0x00000037 nop 0x00000038 sub di, D2A3h 0x0000003d lea eax, dword ptr [ebp+12486FF6h] 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007F310118DD78h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d nop 0x0000005e pushad 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 jg 00007F310118DD76h 0x00000068 popad 0x00000069 jmp 00007F310118DD87h 0x0000006e popad 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F310118DD7Dh 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384E2 second address: F384E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384E8 second address: F384ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F384ED second address: F1E493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E57h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov di, 7A27h 0x00000011 call dword ptr [ebp+122D2D3Ch] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F31011E0E46h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EA20 second address: F6EA2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F310118DD76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB71 second address: F6EB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB7E second address: F6EB94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Dh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EB94 second address: F6EB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EE44 second address: F6EE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F129 second address: F6F12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F3F1 second address: F6F40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jno 00007F310118DD76h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F40B second address: F6F428 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F31011E0E62h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78785 second address: F7878A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7878A second address: F78790 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775B1 second address: F775B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775B7 second address: F775C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F31011E0E46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775C3 second address: F775D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F310118DD7Eh 0x0000000b jne 00007F310118DD76h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F775D6 second address: F775F9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F31011E0E4Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F31011E0E46h 0x00000014 jmp 00007F31011E0E4Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77779 second address: F777A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F310118DD81h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F310118DD7Dh 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jl 00007F310118DD76h 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77ABE second address: F77AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77AC2 second address: F77ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F310118DD83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77ADB second address: F77AED instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E48h 0x00000008 jo 00007F31011E0E4Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F771F3 second address: F771F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F781A8 second address: F781AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F781AC second address: F781B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7847A second address: F78482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78482 second address: F78499 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F310118DD7Ah 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78499 second address: F784AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jp 00007F31011E0E46h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F784AA second address: F784B7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F310118DD78h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D335 second address: F7D33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D47C second address: F7D4A9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F310118DD7Ch 0x00000008 jmp 00007F310118DD86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7D4A9 second address: F7D4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80424 second address: F80428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80428 second address: F80468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F31011E0E59h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F31011E0E56h 0x00000013 popad 0x00000014 pop edx 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80468 second address: F8046E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD48 second address: F7FD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD4C second address: F7FD50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FEAA second address: F7FEAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FEAE second address: F7FEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80025 second address: F8004A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F31011E0E57h 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8004A second address: F80052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80052 second address: F80056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F844F9 second address: F84515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F310118DD87h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84515 second address: F8451B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8499B second address: F8499F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A446 second address: F8A44A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A44A second address: F8A44E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A44E second address: F8A458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88D56 second address: F88D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88EF6 second address: F88EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88EFE second address: F88F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89350 second address: F89354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37E12 second address: F37E24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37EEF second address: F37EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F31011E0E4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A0F7 second address: F8A118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F310118DD88h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A118 second address: F8A130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jo 00007F31011E0E48h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A130 second address: F8A134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A134 second address: F8A15E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E46h 0x00000008 jmp 00007F31011E0E58h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F31011E0E46h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A15E second address: F8A17F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Dh 0x00000007 jmp 00007F310118DD80h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8DF9F second address: F8DFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E4Ah 0x00000009 jmp 00007F31011E0E54h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F31011E0E4Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2B5 second address: F8E2BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2BE second address: F8E2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F31011E0E46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2C9 second address: F8E2DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD78h 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F310118DD76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2DB second address: F8E33E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F31011E0E46h 0x00000008 jmp 00007F31011E0E53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007F31011E0E55h 0x00000018 pop edx 0x00000019 jns 00007F31011E0E61h 0x0000001f jp 00007F31011E0E48h 0x00000025 push esi 0x00000026 pop esi 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96F4E second address: F96F65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F310118DD7Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9511F second address: F95144 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jns 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F31011E0E56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95D22 second address: F95D2E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F310118DD76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96024 second address: F9603C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F31011E0E54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9603C second address: F9605C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jng 00007F310118DD99h 0x0000000d jmp 00007F310118DD7Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9630E second address: F96347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F31011E0E56h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F31011E0E46h 0x00000022 jnl 00007F31011E0E46h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96347 second address: F9634B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C37 second address: F96C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C3B second address: F96C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C46 second address: F96C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C4C second address: F96C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C57 second address: F96C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96C5B second address: F96C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9E522 second address: F9E528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9E6A2 second address: F9E6C0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F310118DD76h 0x00000008 jnp 00007F310118DD76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jns 00007F310118DD76h 0x00000017 ja 00007F310118DD76h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9EC43 second address: F9EC47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94DF second address: FA94E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94E3 second address: FA94E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94E8 second address: FA94FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Ch 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA94FD second address: FA952E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F31011E0E51h 0x00000016 popad 0x00000017 jnp 00007F31011E0E4Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA952E second address: FA9538 instructions: 0x00000000 rdtsc 0x00000002 je 00007F310118DD7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96BC second address: FA96C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96C0 second address: FA96C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96C4 second address: FA96E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F31011E0E52h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96E2 second address: FA96E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA96E7 second address: FA96F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F31011E0E48h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9B29 second address: FA9B37 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F310118DD76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9B37 second address: FA9B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9DE7 second address: FA9DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9DEB second address: FA9DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA9F61 second address: FA9F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAADC6 second address: FAADCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAADCA second address: FAADE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F310118DD7Bh 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB0178 second address: FB018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F31011E0E46h 0x0000000a jns 00007F31011E0E46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB018A second address: FB018F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB02BC second address: FB02C6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD021 second address: FBD02D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFDF8 second address: FBFE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC75E9 second address: FC75EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC75EF second address: FC7621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F31011E0E4Ch 0x0000000a jmp 00007F31011E0E50h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F31011E0E4Eh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7621 second address: FC762A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC762A second address: FC7630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD001B second address: FD0038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F310118DD88h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0038 second address: FD0044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F31011E0E46h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD0044 second address: FD0048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39D1 second address: FD39D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39D6 second address: FD39DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD39DC second address: FD3A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F31011E0E4Dh 0x0000000f jmp 00007F31011E0E53h 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F31011E0E46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3A0E second address: FD3A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3A18 second address: FD3A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9098 second address: FD90AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F310118DD7Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD90AC second address: FD90B6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F31011E0E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7912 second address: FD791C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F310118DD82h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD791C second address: FD7922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7922 second address: FD7929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7929 second address: FD7969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F31011E0E46h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F31011E0E58h 0x00000019 jmp 00007F31011E0E53h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7969 second address: FD7987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F310118DD76h 0x0000000a jmp 00007F310118DD84h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7987 second address: FD798D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AC7 second address: FD7ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7ACF second address: FD7AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AD4 second address: FD7AEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F310118DD81h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AEE second address: FD7AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AF4 second address: FD7B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD7Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d js 00007F310118DD7Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DA4 second address: FD7DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DAA second address: FD7DBE instructions: 0x00000000 rdtsc 0x00000002 js 00007F310118DD76h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F310118DD76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7DBE second address: FD7DDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F31011E0E56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F31 second address: FD7F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F310118DD76h 0x0000000a jmp 00007F310118DD86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F53 second address: FD7F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7F58 second address: FD7F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80DE second address: FD80E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80E6 second address: FD80ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8264 second address: FD8268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8268 second address: FD8299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F310118DD76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F310118DD80h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F310118DD80h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83E4 second address: FD83F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jp 00007F31011E0E46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83F6 second address: FD83FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD83FA second address: FD8400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8DB7 second address: FD8DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDCDF4 second address: FDCE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F31011E0E55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F31011E0E5Ah 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F31011E0E52h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ebx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jl 00007F31011E0E46h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDCE3A second address: FDCE64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F310118DD82h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F310118DD82h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FED5B7 second address: FED5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FED5BB second address: FED5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jl 00007F310118DD82h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101216C second address: 101218A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F31011E0E46h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F31011E0E52h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101243F second address: 1012443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012443 second address: 1012457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F31011E0E48h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012457 second address: 1012476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F310118DD76h 0x0000000a jmp 00007F310118DD85h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012476 second address: 101247A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101247A second address: 1012488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012488 second address: 101248C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101248C second address: 101249E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F310118DD7Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101249E second address: 10124BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F31011E0E58h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10129F8 second address: 1012A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B92 second address: 1012B9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012B9C second address: 1012BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012BA0 second address: 1012BC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F31011E0E53h 0x0000000d popad 0x0000000e pushad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012D1B second address: 1012D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F310118DD89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012E97 second address: 1012EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F31011E0E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EA3 second address: 1012EAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F310118DD7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EAD second address: 1012EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EBA second address: 1012EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F310118DD76h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1012EC8 second address: 1012ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F31011E0E46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015EF3 second address: 1015F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F310118DD7Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F04 second address: 1015F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F08 second address: 1015F5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx edx, cx 0x0000000d push 00000004h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F310118DD78h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 65426583h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push edi 0x00000032 pop edi 0x00000033 jmp 00007F310118DD81h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1015F5C second address: 1015F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016184 second address: 1016188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016188 second address: 1016193 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1016193 second address: 10161A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F310118DD76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161A3 second address: 10161B0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F31011E0E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161B0 second address: 10161FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F310118DD76h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F310118DD78h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D216Fh], edx 0x0000002d mov dx, bx 0x00000030 push dword ptr [ebp+122D2C32h] 0x00000036 add edx, dword ptr [ebp+122D3688h] 0x0000003c push 60DF20B3h 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 push ebx 0x00000045 pop ebx 0x00000046 pop ebx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10161FD second address: 1016203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A8E5 second address: 101A947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F310118DD7Ch 0x00000007 jmp 00007F310118DD82h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007F310118DD87h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F310118DD89h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 jp 00007F310118DD76h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101A947 second address: 101A951 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F31011E0E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5040DDB second address: 5040DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D83A59 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D83B24 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F2B6EB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FB6A92 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6312

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000003.2300513851.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000001.00000002.2303667116.000000000139E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`x@

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00D65BB0 LdrInitializeThunk,

1_2_00D65BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: UProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	5 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/I	file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/76561199724331900	file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300513851.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303759710.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2303667116.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000001.00000002.2303959573.000000000146E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000001.00000002.2303862012.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2301468956.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2300442402.0000000001464000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000001.00000003.2300442402.000000000146A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528226
Start date and time:	2024-10-07 17:07:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:08:21	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	down.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	104.102.49.254
	c3KH2gLNrM.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://sneamcomnnumnlty.com/h474823487284/geting/active	Get hash	malicious	Unknown	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	down.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse	23.212.88.20
	Hscni Remittance_8115919700_16831215.html	Get hash	malicious	Tycoon2FA	Browse	173.223.116.167
	original.eml	Get hash	malicious	Tycoon2FA	Browse	92.122.18.57
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	104.102.49.254
	c3KH2gLNrM.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	uhwovHh7pS.msi	Get hash	malicious	VMdetect	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BzLGqYKy7o.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	104.102.49.254
	c3KH2gLNrM.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948485728947969
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'832'960 bytes
MD5:	6143162264c50290f1925ce5713b921a
SHA1:	949da180ccf993c11c9e104f38402d891526d9ae
SHA256:	d6d5c6f5f79e371a818ecb16931b1f73461c4585479d794c7c4146d7a55dc069
SHA512:	d29ef5bd2b2ffb15c83271da0f70f3e42658bfc94370bead2fa042ad5e07bf8187f899d77f5e4075c9cca923130d39970e13dbf355f5b2accab9e542bf1bb639
SSDEEP:	49152:YNSvwWkoXNL1gSurrhhjgJl+lIk/44JRqBJzWQn5uXeWZh2w:Y8vwAvK/hhjgJlAITBQZjnF
TLSH:	6F853363AE574DD8D3902979811F070617F01BDC1AF24AA671EB1F5E6C2D3A0BF9642C
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................I...........@...........................I...... ....@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x89b000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F31012C7C0Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	5f2dc4eb919243d85cf6bf66e6809208	False	0.9994649855610561	data	7.982307743980005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2a4000	0x200	1e4c4e67f52994e50b4dc162aec143a2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cbcphhfl	0x304000	0x196000	0x196000	f15da7128828bd56712eaedac6941d04	False	0.9938742351062192	data	7.954080802016992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zbkgdmce	0x49a000	0x1000	0x400	3bbcf9ec0a1e33873a86ee222f088d74	False	0.744140625	data	5.858883199355108	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x49b000	0x3000	0x2200	af7d676653a0983a13a6b079eebe0be1	False	0.06847426470588236	DOS executable (COM)	0.7953272658216363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T17:08:22.311288+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.6	55376	1.1.1.1	53	UDP
2024-10-07T17:08:22.323636+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.6	50427	1.1.1.1	53	UDP
2024-10-07T17:08:22.336143+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.6	59002	1.1.1.1	53	UDP
2024-10-07T17:08:22.348964+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.6	63231	1.1.1.1	53	UDP
2024-10-07T17:08:22.366127+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.6	63272	1.1.1.1	53	UDP
2024-10-07T17:08:22.379683+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.6	62421	1.1.1.1	53	UDP
2024-10-07T17:08:22.394592+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.6	64231	1.1.1.1	53	UDP
2024-10-07T17:08:22.407319+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.6	58058	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 17:08:22.432939053 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:22.432960987 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:22.435153961 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:22.436613083 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:22.436621904 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.068361998 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.068434000 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.069961071 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.069966078 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.070439100 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.116908073 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.119710922 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.167418957 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.552190065 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.552218914 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.552228928 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.552248001 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.552259922 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.552273035 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.552284956 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.552304983 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.552340031 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.633881092 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.633977890 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.633997917 CEST	443	49733	104.102.49.254	192.168.2.6
Oct 7, 2024 17:08:23.634008884 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.634058952 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.813863039 CEST	49733	443	192.168.2.6	104.102.49.254
Oct 7, 2024 17:08:23.813883066 CEST	443	49733	104.102.49.254	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 17:08:22.311288118 CEST	55376	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.320355892 CEST	53	55376	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.323636055 CEST	50427	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.332716942 CEST	53	50427	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.336143017 CEST	59002	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.346534967 CEST	53	59002	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.348963976 CEST	63231	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.364417076 CEST	53	63231	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.366127014 CEST	63272	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.375186920 CEST	53	63272	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.379683018 CEST	62421	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.390491962 CEST	53	62421	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.394592047 CEST	64231	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.404145956 CEST	53	64231	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.407319069 CEST	58058	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.416095018 CEST	53	58058	1.1.1.1	192.168.2.6
Oct 7, 2024 17:08:22.420702934 CEST	51566	53	192.168.2.6	1.1.1.1
Oct 7, 2024 17:08:22.427989960 CEST	53	51566	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 17:08:22.311288118 CEST	192.168.2.6	1.1.1.1	0xb1e	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.323636055 CEST	192.168.2.6	1.1.1.1	0x1d9a	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.336143017 CEST	192.168.2.6	1.1.1.1	0xe75b	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.348963976 CEST	192.168.2.6	1.1.1.1	0xee24	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.366127014 CEST	192.168.2.6	1.1.1.1	0x7238	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.379683018 CEST	192.168.2.6	1.1.1.1	0xfaaa	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.394592047 CEST	192.168.2.6	1.1.1.1	0xff1	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.407319069 CEST	192.168.2.6	1.1.1.1	0xbbb2	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.420702934 CEST	192.168.2.6	1.1.1.1	0x5f3b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 17:08:22.320355892 CEST	1.1.1.1	192.168.2.6	0xb1e	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.332716942 CEST	1.1.1.1	192.168.2.6	0x1d9a	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.346534967 CEST	1.1.1.1	192.168.2.6	0xe75b	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.364417076 CEST	1.1.1.1	192.168.2.6	0xee24	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.375186920 CEST	1.1.1.1	192.168.2.6	0x7238	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.390491962 CEST	1.1.1.1	192.168.2.6	0xfaaa	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.404145956 CEST	1.1.1.1	192.168.2.6	0xff1	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.416095018 CEST	1.1.1.1	192.168.2.6	0xbbb2	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 17:08:22.427989960 CEST	1.1.1.1	192.168.2.6	0x5f3b	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49733	104.102.49.254	443	4892	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 15:08:23 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-07 15:08:23 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 07 Oct 2024 15:08:23 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=7cdaee4fd9ae6b2071faa6aa; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-07 15:08:23 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-07 15:08:23 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	1
Start time:	11:08:18
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd20000
File size:	1'832'960 bytes
MD5 hash:	6143162264C50290F1925CE5713B921A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.2%
Total number of Nodes:	49
Total number of Limit Nodes:	5

Executed Functions

Function 00D650FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00D65182

Strings

<I$), xrefs: 00D652E3
<I$), xrefs: 00D65198
@^, xrefs: 00D65120

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: aa1fd969c10947982616b04862459d89ef4bd46f2a551aa22f038359290e2037
Instruction ID: c5cc7d6c07eaf2745f0949794642d05d978aaa9751681ab04f45640ba779491e
Opcode Fuzzy Hash: aa1fd969c10947982616b04862459d89ef4bd46f2a551aa22f038359290e2037
Instruction Fuzzy Hash: 1A21AE35108384CFD300DF68E89072AB7F4AB6A304F69482CE1C9D7362E776D955CB66

Function 00D2FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 00D2FEDC
VY^_, xrefs: 00D2FDFF
t, xrefs: 00D2FCBE
J|BJ, xrefs: 00D3000D

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: dd7549ed04c17bcb074f6ec7a7bc53c51ee745e209d579f3e180b8413107f6f4
Instruction ID: 2eeb41cdd022397e9fdddfd14019d268a4e4a75dd6f72aa0fea0992b45bdde0b
Opcode Fuzzy Hash: dd7549ed04c17bcb074f6ec7a7bc53c51ee745e209d579f3e180b8413107f6f4
Instruction Fuzzy Hash: 5AD167745083909BD315DF1895A062FBFE1AF96B48F188C2CF4C98B252D336CD49DBA2

Function 00D2D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00D2D2F0

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2240036762f89ce1e84398960e8fc8fae55562be77872098a92d176facb75428
Instruction ID: d131b3a0691424b8e5ee4b02b5bcdc1102ad0db101d55953e5ba5a82ad2d583b
Opcode Fuzzy Hash: 2240036762f89ce1e84398960e8fc8fae55562be77872098a92d176facb75428
Instruction Fuzzy Hash: D441267440D390ABD301AB68E544A2EFBE6EF62709F188C1CE9C497212C335D8148B7B

Function 00D65BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00D6973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00D65BDE

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00D6695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00D669C5

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 095babde67814f7fe7fad321508a4e76570ebc8e3c16bcf18c46002211f83e05
Instruction ID: 7e8ac4455c8f1e3fa29934b51b055f079c7dfb9eee3242ad7ea27abfc9877fbf
Opcode Fuzzy Hash: 095babde67814f7fe7fad321508a4e76570ebc8e3c16bcf18c46002211f83e05
Instruction Fuzzy Hash: B13185B05183019FD718DF28D8A072AB7F2EF85344F08881CE5CAE72A1E774D944CB66

Function 00D3049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b832bb65ff8e39f368c5dd674b3d5849731c616bf733f5f760e379ab0bd7901d
Instruction ID: ffc133f43c35a223612b791c3c78266011d752c19e702c268a751adb30cde527
Opcode Fuzzy Hash: b832bb65ff8e39f368c5dd674b3d5849731c616bf733f5f760e379ab0bd7901d
Instruction Fuzzy Hash: D1917775200B00DFD7248F25E894B26B7F6FF89314B118A6CE896CBBA1D771E815CB60

Function 00D30228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c811770cdc4c9b7537ea81ddd97ccdb6592d03b2613854a72c5e3b91097dcff
Instruction ID: c4f9691a147805151d2740adb7d0d0efe00910ef4b0d9b721218bc7ab8b24f1d
Opcode Fuzzy Hash: 6c811770cdc4c9b7537ea81ddd97ccdb6592d03b2613854a72c5e3b91097dcff
Instruction Fuzzy Hash: CB716875204B00DFD7258F20E894B26BBB6FF49315F148968E896CB762D771E815CB70

Function 00D699D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165f7d389fbaceab6cec7b6cc8dfb8ab77329822ab2c3d45c9b02939aec74d78
Instruction ID: 24f66f5fb4b8b976b048f41a9bd1039684620c170bae0d0cc6e04319c98e3f07
Opcode Fuzzy Hash: 165f7d389fbaceab6cec7b6cc8dfb8ab77329822ab2c3d45c9b02939aec74d78
Instruction Fuzzy Hash: E5418B34208300ABDB14DA59E9A0B2BF7FAEB85714F18882CF58A97251D371E841CB72

Function 00D663B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb3b0d24eb51809263d87be0a9d72c8679a29b0f40a07d10db8c6ebb2f1844cc
Instruction ID: ae3c6ade3a2e0db1503b4be956152b9933bb4d8cb451315150b4143bbb07636b
Opcode Fuzzy Hash: fb3b0d24eb51809263d87be0a9d72c8679a29b0f40a07d10db8c6ebb2f1844cc
Instruction Fuzzy Hash: 2A31D570649301BBDA24DB18DD82F3AB7A5EB80B11F68450CF2C5972D5D770F8518B72

Function 00D30EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea07fe1e2dea7c20ab37703c999d42c2182adc8f68ea2bba0a1b6134cd14c11
Instruction ID: 1c417ed52b250ab4d442c61047fa2a33ee8d520d2cccf4e2c7dc3be012e80b4e
Opcode Fuzzy Hash: aea07fe1e2dea7c20ab37703c999d42c2182adc8f68ea2bba0a1b6134cd14c11
Instruction Fuzzy Hash: 1C2128B490021A9FDB15CF94CCA0BBEBBB1FF4A304F144848E411BB392C735A901CB64

Function 00D63220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00D632A6

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 64669a58a903a7ac84a4def9b1aa8c6ef4761d5835da48c197ce0de5698ca68c
Instruction ID: 81bcdf75a82d38ebe4142120456921adb7b29d3b49437c9c15b5f0552d49e90f
Opcode Fuzzy Hash: 64669a58a903a7ac84a4def9b1aa8c6ef4761d5835da48c197ce0de5698ca68c
Instruction Fuzzy Hash: 11014B3450D3409BC711AB18E895A1ABBE8EF4A700F05481CE5C98B361D235ED64DBA6

Function 00D63202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00D63208

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dda94d76c1c041d1d5fdc51f6a626bdb5a46870b14dbe576bcd9c5fac4a21ee7
Instruction ID: 419c05ca01fa05d298c10e769a939179a84269134b4b93704c9ecfa36b82f354
Opcode Fuzzy Hash: dda94d76c1c041d1d5fdc51f6a626bdb5a46870b14dbe576bcd9c5fac4a21ee7
Instruction Fuzzy Hash: 9CB012300401005FDA081B00EC0AF003521EF00605F900050A105441B1E16158A4C564

Non-executed Functions

Function 00D523E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

fedc, xrefs: 00D52782
`tii, xrefs: 00D52693
%*+(, xrefs: 00D540EF
ggxz, xrefs: 00D52685
mlc@, xrefs: 00D5275C
Cx, xrefs: 00D5453D
aenQ, xrefs: 00D5276A
#v, xrefs: 00D5344B, 00D54861
{l`~, xrefs: 00D5268C
|}&C, xrefs: 00D52F21
f@~!, xrefs: 00D525FF
:, xrefs: 00D532DD
3<, xrefs: 00D532D6

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$#v
API String ID: 0-2260822535
Opcode ID: 43d8d27099663a59dcaba6e5c167cdaa8ec3a5a3de422bf2fd927a2d31bb54ca
Instruction ID: 53710d2f015d56af235a8237135c32ff1357d770dda618efb08832083b1e104e
Opcode Fuzzy Hash: 43d8d27099663a59dcaba6e5c167cdaa8ec3a5a3de422bf2fd927a2d31bb54ca
Instruction Fuzzy Hash: 3533BD70504B818FDB258F38C590762BBE1FF16305F58499DE8DA8BB92C735E80ACB61

Function 00D3DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

`Y^_, xrefs: 00D3E99E
LKJI, xrefs: 00D3E6E6
89&', xrefs: 00D3E93B
DCBA, xrefs: 00D3E887, 00D3E896
lkji, xrefs: 00D3E73E
tsrq, xrefs: 00D3E6FC
<=:;, xrefs: 00D3E930
tuJK, xrefs: 00D3E967
:WUE, xrefs: 00D3F6B7, 00D3F6C6
89>?, xrefs: 00D3E9F6
<=2, xrefs: 00D3EA01
D, xrefs: 00D3E846
%*+(, xrefs: 00D3DE37, 00D3DE46
@ONM, xrefs: 00D3E6DB
QNOL, xrefs: 00D3E775
mjkh, xrefs: 00D3E7D8
WP, xrefs: 00D3DCEF
`onm, xrefs: 00D3E733
|, xrefs: 00D3ECB1
()./, xrefs: 00D3E9CA
AR, xrefs: 00D3DD10
T, xrefs: 00D3F157
xgfe, xrefs: 00D3E71D
dcba, xrefs: 00D3E728

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 0922e3f12673beb6b3c1164de82f9617692332c8390ad2bc32651816a3355d83
Instruction ID: d283e5b00288daacba819d14e0dd80f7e156f921b4e59cf04342b06cdec96fa5
Opcode Fuzzy Hash: 0922e3f12673beb6b3c1164de82f9617692332c8390ad2bc32651816a3355d83
Instruction Fuzzy Hash: ABF268B15093819BD774CF14D884BABBBE6FFD5304F58482CE4C98B292D7719984CBA2

Function 00D49F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

/), xrefs: 00D4A66D
sm, xrefs: 00D4A830
_Y, xrefs: 00D4A641
JG, xrefs: 00D4AA27
=], xrefs: 00D4A36A
CG, xrefs: 00D4AA32
WQ, xrefs: 00D4A62B
%e6g, xrefs: 00D4A152
WH, xrefs: 00D4AA1C
S], xrefs: 00D4A636
]{, xrefs: 00D4A1E7, 00D4A1F3
(a*c, xrefs: 00D4A147
kW, xrefs: 00D4A380
?m,o, xrefs: 00D4A13C
N[, xrefs: 00D4A375
hi, xrefs: 00D4AB9D
Gt, xrefs: 00D49FF8

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 391ff4d525e51d706268c3d81984947dd939bc769d45d829d00e4e42098f2209
Instruction ID: a7ccb414d3a7fabef652b0a33ca17a34463694a4369876ad6ee9853d020f899d
Opcode Fuzzy Hash: 391ff4d525e51d706268c3d81984947dd939bc769d45d829d00e4e42098f2209
Instruction Fuzzy Hash: 0D52B7B844D385CAE270CF25D581B8EBAF1BB92740F609A1DE1ED9B255DB708045CFA3

Function 00D49510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

pq, xrefs: 00D499E0
L3Y=, xrefs: 00D49B03
z=Q?, xrefs: 00D49826
;IJK, xrefs: 00D4983E
G+X5, xrefs: 00D49AF3
O+f), xrefs: 00D49634, 00D4963D
G'M!, xrefs: 00D49ADB
B7U1, xrefs: 00D49AFB
2A"_, xrefs: 00D49980
,A&C, xrefs: 00D4982E
B?Q9, xrefs: 00D49B0B
X/R), xrefs: 00D49AEB
?M0K, xrefs: 00D49968
8;, xrefs: 00D49B13
!E4G, xrefs: 00D49836
T#a-, xrefs: 00D49AE3

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: a143959153a187e9bb0b2d3df1b0411c4f5cd37dcf826de757f06df66dfc23aa
Instruction ID: c7a40d6988fe983ab4f0ed8748a35a565598cda71ef25dcc9c47a786149e2e2b
Opcode Fuzzy Hash: a143959153a187e9bb0b2d3df1b0411c4f5cd37dcf826de757f06df66dfc23aa
Instruction Fuzzy Hash: F4F12DB4508380ABD310DF16D891A2BBBF4EB96B48F144D1CF5D99B252E374D908CBA6

Function 00D4DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

n\+H, xrefs: 00D4DDC0
)IgK, xrefs: 00D4E261
%*+(, xrefs: 00D4E143
=]+_, xrefs: 00D4E276
,Q?S, xrefs: 00D4E26F
<Y.[, xrefs: 00D4E27D
-M2O, xrefs: 00D4E25A
{E, xrefs: 00D4E323
hX]N, xrefs: 00D4DDC7
upH}, xrefs: 00D4DE8A, 00D4E798, 00D4DF4A
Y9N;, xrefs: 00D4E245

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: bd369484eae465454d6788884d246ce4b3ce81571ae6967c85952a810e058767
Instruction ID: d826d6179a24dcba148552bfb7a10775c9ae4146fa4871d04b814c2ea8f4a9f1
Opcode Fuzzy Hash: bd369484eae465454d6788884d246ce4b3ce81571ae6967c85952a810e058767
Instruction Fuzzy Hash: 94921375E00215DFDB18CF68D8517AEBBB2FF49310F298268E456AB391D731AD41CBA0

Function 00D4098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

gce/, xrefs: 00D41073
9.5^, xrefs: 00D40F9F
,#15, xrefs: 00D40F94
qrqp, xrefs: 00D41089
cah`, xrefs: 00D4107E
&> &, xrefs: 00D40F89
%*+(, xrefs: 00D40A77, 00D40A86
{, xrefs: 00D41502

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 82297191b06151dba03df10bdd3845453fb54bdfb737a0cd74c3023636fc30af
Instruction ID: 4e2009484afbe1de3b3176d6ebe825f854c889fe0e26035c822ec0f25d91f1a7
Opcode Fuzzy Hash: 82297191b06151dba03df10bdd3845453fb54bdfb737a0cd74c3023636fc30af
Instruction Fuzzy Hash: 91627AB5508381CBD730CF14D891BABBBE1FF96314F08492DE49A8B681E7759984CB63

Function 00D21000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00D21587, 00D215F8
gfff, xrefs: 00D222E1
@, xrefs: 00D22C40
-, xrefs: 00D221ED
0123456789ABCDEFXP, xrefs: 00D2157D, 00D215EB
gfff, xrefs: 00D22297
gfff, xrefs: 00D22226

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: 98dffe7c1ae5cf4cb91c6fa006818e7fe91dd304551d88975cc3a54d3ee7ce91
Instruction ID: a6440ef9ec605be20b4cd383894342ce3f479eea98561931c6e8af6c2faf5427
Opcode Fuzzy Hash: 98dffe7c1ae5cf4cb91c6fa006818e7fe91dd304551d88975cc3a54d3ee7ce91
Instruction Fuzzy Hash: 5FD2F4316083619FC718CE28D49436ABBE2AFE9318F18C62DF4D987391D774D945CBA2

Function 00F007DA Relevance: 10.4, Strings: 7, Instructions: 1659COMMON

Download Yara Rule

Strings

0R8W, xrefs: 00F00E53
bot, xrefs: 00F019BE
YOi, xrefs: 00F00D9D
a"b, xrefs: 00F00C87
)P_>, xrefs: 00F008D1
0XoG, xrefs: 00F0118C
7v~, xrefs: 00F008A8

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: )P_>$0R8W$0XoG$7v~$YOi$a"b$bot
API String ID: 0-3966374571
Opcode ID: 45b715976c2c51ece641b5061fd17f770e02f2565cb015a09256c7fedc38e03b
Instruction ID: 7c0e998ad7811c2574e7f34d8c3602b1b501ebf575c0fe14df1fb5dcfe584031
Opcode Fuzzy Hash: 45b715976c2c51ece641b5061fd17f770e02f2565cb015a09256c7fedc38e03b
Instruction Fuzzy Hash: C1B2F7F360C3009FE308AE2DEC8567ABBE9EF94720F15893DE6C5C7744EA3558058696

Function 00EF3391 Relevance: 10.4, Strings: 7, Instructions: 1619COMMON

Download Yara Rule

Strings

J7Xt, xrefs: 00EF396A
o'5, xrefs: 00EF3BF0
o'5, xrefs: 00EF3BC9
?\tz, xrefs: 00EF40B9
Gr}, xrefs: 00EF418C
PG=, xrefs: 00EF3BBF
N`w{, xrefs: 00EF3FC5

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: ?\tz$Gr}$J7Xt$N`w{$PG=$o'5$o'5
API String ID: 0-670664442
Opcode ID: e486119ee332298ad5fff59567b2148ab4ac9a7779be2726ce977209513c65d5
Instruction ID: e57739a213844b3b410769c5882b757f0c92fdcf06960311ac26096079b14218
Opcode Fuzzy Hash: e486119ee332298ad5fff59567b2148ab4ac9a7779be2726ce977209513c65d5
Instruction Fuzzy Hash: E6B228F360C2049FE3046E6DEC8567ABBE9EF94320F1A4A3DEAC4C3744E67558058697

Function 00EF833B Relevance: 9.1, Strings: 6, Instructions: 1561COMMON

Download Yara Rule

Strings

,jm, xrefs: 00EF9594
{~}, xrefs: 00EF8737
6cog, xrefs: 00EF8916
>7, xrefs: 00EF8942
L?u~, xrefs: 00EF9150
S"N', xrefs: 00EF8E8B

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: ,jm$6cog$L?u~$S"N'${~}$>7
API String ID: 0-1719813877
Opcode ID: 6732154e68218a09f9517ec28c36f08b28900d8c6cd0e919d2e0e214c24afcb1
Instruction ID: 76f56a2ed261407b22c1481b18d08c509ad6d95703628d99c10a6ce5aa3aed94
Opcode Fuzzy Hash: 6732154e68218a09f9517ec28c36f08b28900d8c6cd0e919d2e0e214c24afcb1
Instruction Fuzzy Hash: 14B229F390C2149FE3046E2DEC8567AFBE9EF94720F1A493DEAC587744EA3558008697

Function 00EFEC65 Relevance: 7.9, Strings: 5, Instructions: 1660COMMON

Download Yara Rule

Strings

^}y, xrefs: 00EFF155
(~, xrefs: 00EFFA8D
k&k, xrefs: 00EFF4D3
g_, xrefs: 00EFF37D
wW\_, xrefs: 00EFF9FC

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: k&k$wW\_$(~$^}y$g_
API String ID: 0-2584169009
Opcode ID: 2cda31b86175d7b6606a69d8c596312ec564e149aa6db492506a1cf08e1d5020
Instruction ID: 03df6497c7674c8d0b579ce824db546202635ed88b609a51008f01a7c34c7d80
Opcode Fuzzy Hash: 2cda31b86175d7b6606a69d8c596312ec564e149aa6db492506a1cf08e1d5020
Instruction Fuzzy Hash: DEB2E6F3A082049FE304AE29EC8567AFBE5EF94720F16893DE6C4C7744EA3558058697

Function 00EEE2A2 Relevance: 7.8, Strings: 5, Instructions: 1573COMMON

Download Yara Rule

Strings

kB, xrefs: 00EEE5DE
idNh, xrefs: 00EEF113
He, xrefs: 00EEEF22
g_Gy, xrefs: 00EEE582
He, xrefs: 00EEEEED

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: He$ He$g_Gy$idNh$kB
API String ID: 0-2847410947
Opcode ID: 78930cd57a5ff404b1e7fa2289d1474d9d40b08ba082572884f7d0e1f7c0c614
Instruction ID: 2745c5e0efb99c9e0ba725cd37bb50cb33776a75a1651b3e503f0731568d11eb
Opcode Fuzzy Hash: 78930cd57a5ff404b1e7fa2289d1474d9d40b08ba082572884f7d0e1f7c0c614
Instruction Fuzzy Hash: 07B204F360C6009FE304AE2DEC8567ABBE9EF94320F1A493DE6C5C7740EA3558418697

Function 00EEFD72 Relevance: 7.8, Strings: 5, Instructions: 1571COMMON

Download Yara Rule

Strings

U!{, xrefs: 00EEFED2
'Zy{, xrefs: 00EF09D5
1(0{, xrefs: 00EEFF61
kK~, xrefs: 00EF0FA0
`=n{, xrefs: 00EF0C69

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: 'Zy{$1(0{$U!{$`=n{$kK~
API String ID: 0-1282272579
Opcode ID: 86fad36524cae857e8675f75eac229dae35367e2c994be4496c945e8e01f71b4
Instruction ID: 0995a49223fc700b3f34cacfdf63f22c6ab2509a1265e428aad86448ff633243
Opcode Fuzzy Hash: 86fad36524cae857e8675f75eac229dae35367e2c994be4496c945e8e01f71b4
Instruction Fuzzy Hash: 90B2F5F390C204AFE304AF29DC8567AFBE9EF94720F16892DEAC487744E63558418797

Function 00D212F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 00D2243E
@, xrefs: 00D23531
i, xrefs: 00D228EA
0, xrefs: 00D21E88
0, xrefs: 00D21DC1

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 697043b3145dabe686fb22997ba87ee0144c6fe1044934fa0cf4923c388c3d14
Instruction ID: b0a2fc85c832edc2d376a3cd1bae64c301ca69312198340fdd9eb993928b0bc4
Opcode Fuzzy Hash: 697043b3145dabe686fb22997ba87ee0144c6fe1044934fa0cf4923c388c3d14
Instruction Fuzzy Hash: F362D47160C3A19BC318CE28D49076AFBE1AFE5308F188A1DF8D987391D774D945CBA2

Function 00EF714B Relevance: 7.2, Strings: 5, Instructions: 906COMMON

Download Yara Rule

Strings

#z@n, xrefs: 00EF7868
'z@n, xrefs: 00EF7863
KM, xrefs: 00EF717E
zXs, xrefs: 00EF7251
#{, xrefs: 00EF7283

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: KM$#z@n$#{$'z@n$zXs
API String ID: 0-1463500295
Opcode ID: ee4c97d946132bd0897b021a38b88bbfb048482a983dc3528feeb2f8f0ea32af
Instruction ID: 2c381de57a4a32aa9739275362636ab42d5e2ab64b47b1331f79ed171fb89276
Opcode Fuzzy Hash: ee4c97d946132bd0897b021a38b88bbfb048482a983dc3528feeb2f8f0ea32af
Instruction Fuzzy Hash: A452F4F360C204AFE3046E29EC8567AF7E5EF94720F16893DE6C483744EA3598458B97

Function 00D2164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00D21659
0123456789ABCDEFXP, xrefs: 00D2164F
gfff, xrefs: 00D21F57
+, xrefs: 00D21573
gfff, xrefs: 00D21F3C

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 93f1c2c0b75aba170ff47bc28a6561c632d400c895d65baca7bbc5698e6e928b
Instruction ID: 4d50bb4c967428bc0d7f2f98575ba3d72256080b4bbcde3080edc2110efdeb68
Opcode Fuzzy Hash: 93f1c2c0b75aba170ff47bc28a6561c632d400c895d65baca7bbc5698e6e928b
Instruction Fuzzy Hash: 44F1C23560C3919FC715CE28D48026AFBE2AFE9308F18CA6DE4D987356D334D945CBA2

Function 00D213A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00D213AD
0123456789ABCDEFXP, xrefs: 00D213A3
-, xrefs: 00D21F23
gfff, xrefs: 00D21F57
gfff, xrefs: 00D21F3C

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: df7ea39d4090ade5eb3864eed32116fd6758b88c850cffe7310b17a3031279b8
Instruction ID: 93f978cc6de9131d62421c5575030644236a219393df08306fb5a61ab8b98a7b
Opcode Fuzzy Hash: df7ea39d4090ade5eb3864eed32116fd6758b88c850cffe7310b17a3031279b8
Instruction Fuzzy Hash: 87D1B03560C7919FC715CE29D48026AFFE2AFE9308F08CA6DE4D987356D234D949CB62

Function 00EFD22F Relevance: 6.6, Strings: 4, Instructions: 1592COMMON

Download Yara Rule

Strings

sL}, xrefs: 00EFD44C
@qh, xrefs: 00EFDE66
HJT{, xrefs: 00EFD62A
av~, xrefs: 00EFDC15

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: @qh$HJT{$sL}$av~
API String ID: 0-75150499
Opcode ID: f84be685b03a0bc56724a9e6113da168636dc2f3ec8b2d757a84c53afa2fe41a
Instruction ID: 8845b7cbd07ba5659f3ae6f18ce1f22fe60731e1437351f4071885e3ce5f035d
Opcode Fuzzy Hash: f84be685b03a0bc56724a9e6113da168636dc2f3ec8b2d757a84c53afa2fe41a
Instruction Fuzzy Hash: 82B2E5F360C2049FE304AE2DEC8567ABBE9EF94720F16493DEAC5C3744EA3558448697

Function 00EFB865 Relevance: 6.5, Strings: 4, Instructions: 1476COMMON

Download Yara Rule

Strings

<:T, xrefs: 00EFB8A8
}, xrefs: 00EFC706
;Wy?, xrefs: 00EFC3AB
;Wy?, xrefs: 00EFC37D

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: ;Wy?$;Wy?$<:T$}
API String ID: 0-769094112
Opcode ID: 4b79c2f4aadf2a7c344b8b40a58748e65791ea7df6e3c10bf6cdb9005874ae00
Instruction ID: efe8a723690f774ff01f2f550c82bdca8eeaf69abb81cf02b3e0b2721d3ad4ec
Opcode Fuzzy Hash: 4b79c2f4aadf2a7c344b8b40a58748e65791ea7df6e3c10bf6cdb9005874ae00
Instruction Fuzzy Hash: 13A2D1F260C6009FE304AF29EC8567AFBE5EF98720F16492DEAC4C7740E63558518B97

Function 00D4FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 00D4FE95
NA_I, xrefs: 00D5036D
:, xrefs: 00D50087
m1s3, xrefs: 00D4FEC3, 00D4FECB

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 2cb4716b863a4a16a1dc40a4eb0245b458748ef408db88c791327a03f9c016c1
Instruction ID: 00f4cb63965a64d38ebe20d5dce5c6afadce375fb64f24ee0376865764cb0f8c
Opcode Fuzzy Hash: 2cb4716b863a4a16a1dc40a4eb0245b458748ef408db88c791327a03f9c016c1
Instruction Fuzzy Hash: ED32AC74508380DFD710DF28D881A2ABBE5EB89345F184A6CF9D58B392E335D949CF62

Function 00D33BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

p, xrefs: 00D33C80
ss, xrefs: 00D33C79
;z, xrefs: 00D33C87
%*+(, xrefs: 00D33EC4

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 229ebcfcd76cf2b8d4bf6dbad0c2453986b4fc87b267106fdcc82ed120778fc1
Instruction ID: 4a62860381609ad0eab2031c6306a3bc21ddc73e0f9bbf3de0efd6b04c386520
Opcode Fuzzy Hash: 229ebcfcd76cf2b8d4bf6dbad0c2453986b4fc87b267106fdcc82ed120778fc1
Instruction Fuzzy Hash: 3A025BB4810B009FD760DF28D986756BFF5FF01300F54895DE89A9B696E370E419CBA2

Function 00D42260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

hu, xrefs: 00D4232F
sj, xrefs: 00D42327
lc, xrefs: 00D42507
a|, xrefs: 00D42317

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: a9a5be1a3a695eae95d7087c205b779042aa9e453bb3bade59e7cded15af8054
Instruction ID: ef217da0dc15b7a7be2560425cf971af473fa360c86407e2040c0c62193a5139
Opcode Fuzzy Hash: a9a5be1a3a695eae95d7087c205b779042aa9e453bb3bade59e7cded15af8054
Instruction Fuzzy Hash: D4A17A744083418BC720DF18C891A2BB7F0FFA5754F989A0CF8D99B291E339D945CBA6

Function 00D4D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

#', xrefs: 00D4D9EA
T>, xrefs: 00D4D984
CV, xrefs: 00D4D98B
KV, xrefs: 00D4D97D

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 1fedc94ef98ba61d910deb96b40bc32cf93d0d57fc5940e95311da06009af6d2
Instruction ID: af1432331f6b7e58369858c24bb27a5a6a3baf0da31eba5c2f00878b96ebb1c5
Opcode Fuzzy Hash: 1fedc94ef98ba61d910deb96b40bc32cf93d0d57fc5940e95311da06009af6d2
Instruction Fuzzy Hash: 228156B48017459BDB20DFA5D28516EBFB1FF16300F604A0CE886ABB55C330AA55CFE2

Function 00D4AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

4c2a, xrefs: 00D4ACA9
lk, xrefs: 00D4ACBC
,{*y, xrefs: 00D4AD07, 00D4AD13
(g6e, xrefs: 00D4ACA1

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 75643e70ddc481a21bb344ddd5b2699d6b5c97300b34403e7994aee2db3d9aa2
Instruction ID: 1b492835a5ac5c5367da742e0d40b6f888d18e1be686007021b8d4753d17b7e3
Opcode Fuzzy Hash: 75643e70ddc481a21bb344ddd5b2699d6b5c97300b34403e7994aee2db3d9aa2
Instruction Fuzzy Hash: EC4197B4808381CBD7209F28D901BABB7F4FF86305F58995DE5C897260EB71D944CBA6

Function 00D4C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

~/i!, xrefs: 00D4C537
%*+(, xrefs: 00D4C8C3, 00D4C8CB
%*+(, xrefs: 00D4C9E4, 00D4C9ED

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 6b820f8a7af17c29926f818eb20dbb6910954b77acf758effd23ea73ea32be88
Instruction ID: 4a2d0196fc2d8eeb1e50cea93f00df868022885d10fc3ff0312640e65dd69775
Opcode Fuzzy Hash: 6b820f8a7af17c29926f818eb20dbb6910954b77acf758effd23ea73ea32be88
Instruction Fuzzy Hash: 4BE185B5519340EFE7209F28D881B2EBBF5FB85344F48892CE6C987251E731D854CBA2

Function 00D28590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 00D2860C
), xrefs: 00D28616
IEND, xrefs: 00D289F0

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: a163a6965a6274e60cf151f7b24db90351f661f1de597b45526f83ef63758060
Instruction ID: fbebeaa8918770a8408af7a28c61811956df6898eef06c43979a0a6a2f75dd84
Opcode Fuzzy Hash: a163a6965a6274e60cf151f7b24db90351f661f1de597b45526f83ef63758060
Instruction Fuzzy Hash: B5E1C0B1A087119FE310CF28E84172ABBE0FBA8318F14492DE59597381DB75E954CBE2

Function 00D64040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D640A4, 00D640AD
f, xrefs: 00D6420C

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 2b0a2e49bd8e9491ac49d1d8b7efff4435b11e94554ed381d6d20d811b4593dc
Instruction ID: b06af6f16549c43e4035ac7a908b3c53327c16a5c8f3b676b6d5dae3121242db
Opcode Fuzzy Hash: 2b0a2e49bd8e9491ac49d1d8b7efff4435b11e94554ed381d6d20d811b4593dc
Instruction Fuzzy Hash: F71299716083419FC715CF18D890B2EBBE6FB8A314F188A2CF4958B391D775E945CBA2

Function 00D5F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 00D5F6E6
dg, xrefs: 00D5F7F5

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 3fb00a532911663a6c6f42ac27a756809899b3e69e7a5151396f13b0e9580299
Instruction ID: 175de85ec9474e88d7fcb7ed64d22332abd29e2f2cce9cdec9af812273383835
Opcode Fuzzy Hash: 3fb00a532911663a6c6f42ac27a756809899b3e69e7a5151396f13b0e9580299
Instruction Fuzzy Hash: 08F18471618341EFE7048F25D891B2ABBF6EF86345F14992CF8898B2A1D734D844CB22

Function 00D235B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00D23607
NaN, xrefs: 00D2360E

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 2f177177c7d0a110dcc54079fee4cb278a5be1a9a6e368140d18eafc9767fc03
Instruction ID: 63c6f38863a9936ff400b57f2ab02b4c1895f17d157ea3329e53e03267e58968
Opcode Fuzzy Hash: 2f177177c7d0a110dcc54079fee4cb278a5be1a9a6e368140d18eafc9767fc03
Instruction Fuzzy Hash: CCD1F571A083219BC704CF28D88061EBBE5EBD8754F148A3DF9D9973A0E675DD448BA2

Function 00D3FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 00D400F6
BaBc, xrefs: 00D40197

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 0bd54449aa5078823cc48a768bb05a347d035ad431cc540fc0e88e1f872fd56b
Instruction ID: cbae8ea158e4fcf7125a9edc026f8ad291210b7f9b4327c05771925c12333081
Opcode Fuzzy Hash: 0bd54449aa5078823cc48a768bb05a347d035ad431cc540fc0e88e1f872fd56b
Instruction Fuzzy Hash: BF51ACB16083818BD731CF18C881BABBBE0FF96314F19491DE5DA9B691E3749940CB67

Function 00D25160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00D254C8

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 5b667625fbec2e817aa0ef74b638b3be96dc90dc428e313a875c04af03be17b8
Instruction ID: d056d2c0ff7048adbb3c77918b5e1b3cc27c201a26b95a9b88bfc3da10219976
Opcode Fuzzy Hash: 5b667625fbec2e817aa0ef74b638b3be96dc90dc428e313a875c04af03be17b8
Instruction Fuzzy Hash: FC22D4B6A08B62CBE7158E18B440B26FBA2AFF030CF1D856DD8994B349E771DC45C761

Function 00D512D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00D515D1

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 5655aed2ca2ba4d4cfff38026f0ef2c71dbd033cc8d5257c8c4ea16f05305868
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 08F14579A083515BCB24CE28C49172BBBE5AFC5355F1C856DEC9A87382D634DC0987B2

Function 00D4AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D4B2D3, 00D4B2DB

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 156b5d84ecf8531be6d92f37da59558dc0e1e5cfd3cbb57af55f5c227dfecf51
Instruction ID: 1bffb13ee12f3f6a8e49c0ca846972a2dc27d15587bf2b00def3698e3ba5b1c9
Opcode Fuzzy Hash: 156b5d84ecf8531be6d92f37da59558dc0e1e5cfd3cbb57af55f5c227dfecf51
Instruction Fuzzy Hash: D9E1BB75508306CBC714DF29C49056EB7F2FFA9791F588A1DE4C587220E331E999CBA2

Function 00D36EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D36EF3

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 782559c7b8abfbc86c579bbe82c0b68c44c99758e29836a1be49e3dfe0c277d1
Instruction ID: 994247878feecb31a3611a2902f5ffe21c815a351eb8639d097fe51135413418
Opcode Fuzzy Hash: 782559c7b8abfbc86c579bbe82c0b68c44c99758e29836a1be49e3dfe0c277d1
Instruction Fuzzy Hash: 14F18D75A00B019FC7249F28E891A26B7F2FF58314B188A2DE49787791EB70F815CB61

Function 00D47E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D48263, 00D4826B

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a70f2f8180998fe94b08e840c87bc04b008d060ccba712d6efdd59977ca44665
Instruction ID: ccc18ba67694a707bf0d766ff0df3e0d3309dd6ea1a680176d56da104104f187
Opcode Fuzzy Hash: a70f2f8180998fe94b08e840c87bc04b008d060ccba712d6efdd59977ca44665
Instruction Fuzzy Hash: 40C1AC71908300ABD710AB14D882A2FB7F5EF95794F084819F8C59B251E735ED45EBB2

Function 00D48D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D49233, 00D4923B

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: d1ad7bca570202e0977bad722cbff91cc8767203675a348bc6d2aa82827bfa31
Instruction ID: 1099cce34f567fd60be8a031a5a51a19d96481b544ad3b4648bca5ea9ba95c46
Opcode Fuzzy Hash: d1ad7bca570202e0977bad722cbff91cc8767203675a348bc6d2aa82827bfa31
Instruction Fuzzy Hash: 2BD1BE70618302DFD714DF68D890A2ABBE5FF89314F49486CE88AC7791E735E990CB61

Function 00D67FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00D68167

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: c4618cddb71a32c623f388e4895fed77e07733d3be9e08e4ddd83def79326681
Instruction ID: 60f67c88b46e334e89b1229a0064e3eabd4dd50c611c059a44c50c9173a3cefa
Opcode Fuzzy Hash: c4618cddb71a32c623f388e4895fed77e07733d3be9e08e4ddd83def79326681
Instruction Fuzzy Hash: 68D1F6729083614FC725CE18E49072EB7E2EB85718F198A2CE8A5AB384DB71DC45D7E1

Function 00D4CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D4CDC3, 00D4CDCB

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: a766a7f27e67b0dbf71e10f200a4d4c37d64748d7b85aa48a127fec9dbfa48ad
Instruction ID: eb5aea5f6a1f168d70a66e47c32fd3951a9502129321516918fa9f14250322e2
Opcode Fuzzy Hash: a766a7f27e67b0dbf71e10f200a4d4c37d64748d7b85aa48a127fec9dbfa48ad
Instruction Fuzzy Hash: 9DB1EE70A1A3019BDB14DF18D881B2BBBE2EF95344F18592CE5C58B351E335E859CBB2

Function 00D2A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00D2A9C3

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 5dd6d4b6fe60ecf14d3434ce549200f5324d6c62b1d67366904c3d52b6217575
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: E2B128711083819FD324CF1DD88061BBBE1AFA9708F488A2DF5D997342D671EA58CB67

Function 00D5FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D5FCA4, 00D5FCAD

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: accc488743b5aa7d6306156a89742abc434ab95c7a91b7fe903e1e92e619a6b8
Instruction ID: d88d89a937dc9f4c32dd7c92da6796d6f5e08f6f187070aee763eab2e795b7b4
Opcode Fuzzy Hash: accc488743b5aa7d6306156a89742abc434ab95c7a91b7fe903e1e92e619a6b8
Instruction Fuzzy Hash: 5B81AD71508300ABDB14DF59E885B2AB7F5FB99702F14882CF9C99B251E731D858CB72

Function 00D3D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D3D663, 00D3D66B

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 6dce42590b5611246fcc90c08d8fddf598971e3759b259b08c071699271f5813
Instruction ID: bda36cf66f42981cac64d3b2ee98982bc2e2d9dbe7175a0390289b631d00f0b1
Opcode Fuzzy Hash: 6dce42590b5611246fcc90c08d8fddf598971e3759b259b08c071699271f5813
Instruction Fuzzy Hash: AD61B072908314DBD710AF18E882A2AB3B5FF95354F48092DF9898B391E771D954CBB2

Function 00DDA10B Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

E4w, xrefs: 00DDA34D

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: E4w
API String ID: 0-3493093250
Opcode ID: bc53fa3253c1714f30fcfc3d619a0b1e5935dc0a8d9c731348ee8797304639ae
Instruction ID: 54ff8a94f8490e620527e944d5b339ac20f87ea650a14ea603af2c3ca226003f
Opcode Fuzzy Hash: bc53fa3253c1714f30fcfc3d619a0b1e5935dc0a8d9c731348ee8797304639ae
Instruction Fuzzy Hash: 427128F3A483005FF3085E69EDD43BAB6D6DBD4320F2A853DA6C9C7784D9B948018695

Function 00D64A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D64C33, 00D64C3B

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: c16326346ae2d3c78b86cf4cc5d4c4db4faf5c46f8535378c96f7260f96ae63b
Instruction ID: bf771e20f46d0b974eac16d9c8db449d482cafc29551b2827ae84a6977db4e0f
Opcode Fuzzy Hash: c16326346ae2d3c78b86cf4cc5d4c4db4faf5c46f8535378c96f7260f96ae63b
Instruction Fuzzy Hash: D361CB716093019BD714DF69D880B2ABBE6EBC5314F29891CE9C9873A1D772EC40CB72

Function 00D2E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00D2E333

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: db5973d390252c91ac0c9516206a662adedbbc2b6bd9438695f8eaafda6736c7
Instruction ID: 56c7d50acd2fa546d39bbb0298c346926e85ed952df661b19f40d35bb29aa35d
Opcode Fuzzy Hash: db5973d390252c91ac0c9516206a662adedbbc2b6bd9438695f8eaafda6736c7
Instruction Fuzzy Hash: A3510733A596A08BD324C93D6C553A97B870FB2338B2D8769E9F6CB3E5D555880043B0

Function 00D63920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D639E3, 00D639EB

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7914471cce2b3c5012c0ceea3f3e3f4c631cfadf8e46010501fcdf0780527641
Instruction ID: 9d832c74470db604b19a34fbf7fe5d6b2b1bd665136bb961fa378f3df7f81c20
Opcode Fuzzy Hash: 7914471cce2b3c5012c0ceea3f3e3f4c631cfadf8e46010501fcdf0780527641
Instruction Fuzzy Hash: 21519A706093409BCB28DF59E980A2ABBE5EF85744F18881DE4CA87351D772DE50DF72

Function 00D31BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00D31C3E

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: d13a838ebe0f644bf46c39ac6cf0c980f0a0ef24379ccdd33c570aa3b51fe0c6
Instruction ID: 8bbce948a9118f71c97ebd81c7de6f0a984ab24d49eabc7e5cf47d4b30936b11
Opcode Fuzzy Hash: d13a838ebe0f644bf46c39ac6cf0c980f0a0ef24379ccdd33c570aa3b51fe0c6
Instruction Fuzzy Hash: 704131B84083819BC7149F28D894A2BBBF0FF86754F08991CF5C99B291E736C9158B66

Function 00D5FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D60033, 00D6003B

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 09146def196d7f95821e594b4c3b1e6e1533b3f64097d4619fb056c9c8585c73
Instruction ID: 5531191f30a83fbed43d2b0fd521dd19b46956e8055c91e58e5c11d4e25ad383
Opcode Fuzzy Hash: 09146def196d7f95821e594b4c3b1e6e1533b3f64097d4619fb056c9c8585c73
Instruction Fuzzy Hash: 7231C6B1908315ABD710EB54EC81B2BBBE9EB95748F544828F985D7252E332DC14C7B3

Function 00D4E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00D4E6A2

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 43d56ab76005bea97f60b56869280fe531d8a6f9747bce7820fd972bee9e840d
Instruction ID: 81e3d4d969ed3344d31fffc2e3a9f0fbf18fe3ae029a649e5a6a327144988cec
Opcode Fuzzy Hash: 43d56ab76005bea97f60b56869280fe531d8a6f9747bce7820fd972bee9e840d
Instruction Fuzzy Hash: 2131D2B5900305DFDB20CF98E8805AFB7B5FB1A315F180968E54AA7301D335AD45CBB2

Function 00D36F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D3703B

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: dbbfa81963c668eb154dc29f2c94bc54700488bea3d13a8763417aac7341d76a
Instruction ID: 7ebf80ddd4c7d851d57a889f4fc1ddf5a49f9535cdf938470224c96bad229b2a
Opcode Fuzzy Hash: dbbfa81963c668eb154dc29f2c94bc54700488bea3d13a8763417aac7341d76a
Instruction Fuzzy Hash: 4F4144B5604B04DBD7388B65D994B26B7F2FB49701F188918E58A9BAA5E371F8008B30

Function 00D4E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00D4E6A2

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 1f50009ec92de5b82cafaf088c177e1f7da7f0d459e4705b3f9d07e43f7cf26a
Instruction ID: fc32bdd56a22d3cd9748c97c48082cf91bc6725f51b39ce9cf738806916bc9d4
Opcode Fuzzy Hash: 1f50009ec92de5b82cafaf088c177e1f7da7f0d459e4705b3f9d07e43f7cf26a
Instruction Fuzzy Hash: EC21ADB5900305DFCB20CF98E88096FBBB5FB1A705F180918E54AAB301D335AD41CBB2

Function 00D69CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00D69D30

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 942ed655f6706fa11f03dd51367e1375fc9295b0ca03c99c41d49e00ab5859d2
Instruction ID: d2db3a6878263a081c12979d037da09c1050902ddf8e031d9ce0c2bf7574d1c7
Opcode Fuzzy Hash: 942ed655f6706fa11f03dd51367e1375fc9295b0ca03c99c41d49e00ab5859d2
Instruction Fuzzy Hash: F73187709083009BD314EF18D890A2BFBF9FF9A358F18892CE5C897251E375D945CBA6

Function 00D34E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ceb631dfcc5fdfc204650c8fbf57b453661343d9f38bc4581c9074f2ec1403d
Instruction ID: 9476d8d7441487016dcccb057630900300e908fd1892f2da2659c0638595185e
Opcode Fuzzy Hash: 0ceb631dfcc5fdfc204650c8fbf57b453661343d9f38bc4581c9074f2ec1403d
Instruction Fuzzy Hash: 736258B4500B008FD725CF28E981B27B7F5EF59704F58896CD49A8BA56E775F804CBA0

Function 00D2BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 6dcc05ef61617e8da8661e9f1da6222b27fa24fe0b1b2bf0797d84d9911b7572
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: E652F8319187218BC7259F18E4402BEB3E1FFE431DF299A2DD9C693290D735AC51CB96

Function 00D68652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dfeef97964067e6286d6dcf6c94428dec8ed25a1ba1609d7eb3c431e311715
Instruction ID: c3cace7f0acc3e62f50fc1eaa605cbe0e3b93fb481358b4fc0bd56c83178fded
Opcode Fuzzy Hash: 52dfeef97964067e6286d6dcf6c94428dec8ed25a1ba1609d7eb3c431e311715
Instruction Fuzzy Hash: 4522BA35608341CFC705EF68E89062AB7E1FB8A315F49896DE989C7361E735D890CB62

Function 00D686F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ac5b4ef756b84fd6f11224e1fc31da19ac3952e31a143c1e7f0d8fa5735828
Instruction ID: f68dcf29a58536bca847c86e88f7c654fcbee9c0a86b1e4944c12700a80f85cb
Opcode Fuzzy Hash: e6ac5b4ef756b84fd6f11224e1fc31da19ac3952e31a143c1e7f0d8fa5735828
Instruction Fuzzy Hash: 8122A935608340DFC705EF68E89061AFBE5EB8A305F49896DE9C9C7361E735D890CB62

Function 00D2B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd01fe70f473c0df54584a669602501deb0adf0e24cc89562e638193b16fd9a
Instruction ID: b9f61272d5df6be6595d385f121ba2e37e9cfba8d926697318c5870a4c3cc3ee
Opcode Fuzzy Hash: fcd01fe70f473c0df54584a669602501deb0adf0e24cc89562e638193b16fd9a
Instruction Fuzzy Hash: 9F52AB70908B948FE735CB24D4447A7BBE1EFA1328F184C1ED5D607B82C7B9A985CB61

Function 00D271F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49f7c2a98a6d5d6a6d82360f773da68e99ce041c6d44fa659aa65c80d793a68
Instruction ID: 381494db1f9edc44f46f93c355c6406883e70fac82fef9b167e37dc384411ae7
Opcode Fuzzy Hash: e49f7c2a98a6d5d6a6d82360f773da68e99ce041c6d44fa659aa65c80d793a68
Instruction Fuzzy Hash: 8B52E23150C3658FCB25CF28D0806AABBE1BF98318F188A6DE8D957341D734D889CBA1

Function 00D28FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2201e8f87029b62437db4157abb4b39911eb4fe637a501c7b4795d824e6eb85f
Instruction ID: 373d5f16dc8cab98bb33aa7e9d4f7e8c2d79c6f942cc395969950e3a71fb36be
Opcode Fuzzy Hash: 2201e8f87029b62437db4157abb4b39911eb4fe637a501c7b4795d824e6eb85f
Instruction Fuzzy Hash: D8424779608301DFD704CF28E86075ABBE1BF88359F09886DE4898B391D775D985CFA2

Function 00D27BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469fd878e2f126412a533bc5268ea8940f18cbd057a9c8e81359bfe1cf16a1c1
Instruction ID: 73d9e843935b5e539ef4c18a9002dfa7af5495ecbe447afff70714cf0010f9c3
Opcode Fuzzy Hash: 469fd878e2f126412a533bc5268ea8940f18cbd057a9c8e81359bfe1cf16a1c1
Instruction Fuzzy Hash: 12323270519B218FC338CE29D690526B7F1BFA5304B644A2ED6A787F90D736F845DB20

Function 00D689A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1632b00493762452d8185fae47f64d122fb4eab2a43fcf6dbb34f91b466a9fd2
Instruction ID: 1823913e51baa7386498c60fc094a87de784eff06012ff2c9d3762201276b262
Opcode Fuzzy Hash: 1632b00493762452d8185fae47f64d122fb4eab2a43fcf6dbb34f91b466a9fd2
Instruction Fuzzy Hash: A1029934608340DFC705DF68E89061AFBE5EB8A305F09896DE5C9C7362E735D850CBA6

Function 00D68A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470f04a85341c890484aac8b899f9099b8a674f320812c94f24c3131d845d5e3
Instruction ID: aaa1b7b7336bb95c6f2db84965b9cfe756eb363ecae3f956dacc45048e2dfe83
Opcode Fuzzy Hash: 470f04a85341c890484aac8b899f9099b8a674f320812c94f24c3131d845d5e3
Instruction Fuzzy Hash: 5AF18734608340DFC705DF68E89061AFBE5EB8A305F09896DE5C9C7362E736D950CBA6

Function 00D68C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268c319eae1590ad4874343048e461415eb780888c217d721b29e50ef0c82570
Instruction ID: ce964a27a300d4e2857cef8cf44bb4efe7b8a81935d220e88b37d39e60b5b28d
Opcode Fuzzy Hash: 268c319eae1590ad4874343048e461415eb780888c217d721b29e50ef0c82570
Instruction Fuzzy Hash: ACE1AE31608340CFC705DF28D89062AF7E5EB8A315F09896DE5D9C7362E736D950CBA2

Function 00D2A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 58189c6cb10e8439676a893830668058062d85cc5da45c5992d794ac05fd46c9
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: E6F1AC756087418FC724CF29D88166BFBE2EFE8304F08882DE4D587751E639E945CBA6

Function 00D68E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0100302a3f56950a6cabaafe6af81bddfddf3630cac205e4f0d0f982b9e727
Instruction ID: 14ffb15f1e5962c6437b690f72ed97540507b4e2cddbe5f052956ac2bef771b6
Opcode Fuzzy Hash: 5b0100302a3f56950a6cabaafe6af81bddfddf3630cac205e4f0d0f982b9e727
Instruction Fuzzy Hash: 31D17B3460C340DFD705EF28D89062AFBE5EB8A305F49896DE5C987352E736D850CBA6

Function 00D34487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2882be5ef66f0e56ee1dd8c142d3b3b6cc23eef6b5e5df06d1d8211c79018
Instruction ID: b46ddba9ce7e3479898b19678055da91ad99ecfc31b2eee123372d6928ce0506
Opcode Fuzzy Hash: 8be2882be5ef66f0e56ee1dd8c142d3b3b6cc23eef6b5e5df06d1d8211c79018
Instruction Fuzzy Hash: DCE1DFB5501B008FD365CF28E992B97B7E1FF06708F04886DE4AACB752E775B8148B64

Function 00D66CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08acf9332848ffca565a14372396b96df71b4f1bdbf6e3d08785569e0bb8411
Instruction ID: b166deb004ab40bb81a4d9c55d3ba7bdb74c3a5e5a16dc1c552edd481cfd8b79
Opcode Fuzzy Hash: b08acf9332848ffca565a14372396b96df71b4f1bdbf6e3d08785569e0bb8411
Instruction Fuzzy Hash: A1D1D23661C355CFC715CF38E88052AB7E1AF89314F098A6DE499C7395E335DA84CBA2

Function 00D67AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4717365fef71220d4122333474bc4bcd9af9465cb0135b615cada5af1a63352
Instruction ID: d51255a575f938ee7eb983af8c47ea0cac29a0916600e70d169f5fec7f8a539b
Opcode Fuzzy Hash: f4717365fef71220d4122333474bc4bcd9af9465cb0135b615cada5af1a63352
Instruction Fuzzy Hash: 00B1E372A083548BE314DA28CC41B6FB7E5EFC4318F09496DF99997392E635DC048BB2

Function 00D2AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 28b53e883824da74170c4cc619f52680e746635f3949386bd28d0dc4f48e16d2
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 62C18BB2A087518FC360CF28DC96BABB7E1FF85318F08492DD1D9C6242E778A155CB56

Function 00D36536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236a24f825f6b7618a4be9e0f1325ef5e057476a9a1247cae5ccc1bbf302675f
Instruction ID: 1d1c3319be02099792287789a66bf038e7079daac76808dce1e460ac0ed6653d
Opcode Fuzzy Hash: 236a24f825f6b7618a4be9e0f1325ef5e057476a9a1247cae5ccc1bbf302675f
Instruction Fuzzy Hash: 4CB101B4600B409BD321CF24D981B27BBF1EF5A704F54885CE8AA8BB52E775F805CB65

Function 00D67710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b06df25341b98875b29730374d9eba69a23010be7313d8c73c0bdb3d7c2d3019
Instruction ID: 6900b8dbbaed71017a670324073b7c25740f8af403fba37f5bca6711f5834c5d
Opcode Fuzzy Hash: b06df25341b98875b29730374d9eba69a23010be7313d8c73c0bdb3d7c2d3019
Instruction Fuzzy Hash: 7C91AD71A0C305ABE724CB14D840BAFBBE6EB85358F58481DF89987351E730E940CBB2

Function 00D6A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6543e23a6a6417ea57982d51102df13b09e15cf8ee702201358788c32a7dc66f
Instruction ID: 0392d3cc6ebabd4cc58045a95796165a043ebbd95325396f5726d4febb302bbd
Opcode Fuzzy Hash: 6543e23a6a6417ea57982d51102df13b09e15cf8ee702201358788c32a7dc66f
Instruction Fuzzy Hash: C48169342087018BD724DF6CD890A2AB7E5EF99740F59892CE5C6EB351E735EC50CBA2

Function 00D564F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277434e59be0c68fb56bb001f12c775582739981be083191002a1be532dfd5fd
Instruction ID: eb6da5845c487a6feb6a1ca9068279db88c920092fb7f858cd11733ee265caf7
Opcode Fuzzy Hash: 277434e59be0c68fb56bb001f12c775582739981be083191002a1be532dfd5fd
Instruction Fuzzy Hash: 5671D633B69A904BC7248D3C5C413A5AA834BD6335B7D8379EDF4CB7E5D569C80A4360

Function 00D428E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe22ee31ce54a9d6c10107117283b3d6062b87f45c1b2e95b9fd93d169caa29
Instruction ID: cdc3b21edc3469b316e9bd2c0c73b4e07e9b2b83718c57fa69d9e3dca20025d0
Opcode Fuzzy Hash: fbe22ee31ce54a9d6c10107117283b3d6062b87f45c1b2e95b9fd93d169caa29
Instruction Fuzzy Hash: D86164B44183509BD310AF18E891A2ABBF0EFA6754F48495CF4C58B361E379D950CBA6

Function 00D47C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6e9e57813915ec685059f80ef659553f0538b384ab4ef51442ca161e12b49f
Instruction ID: fd4de45542b4748e03a4b418f740a3e438ecbcd7baee558866fbf8640bc32b4f
Opcode Fuzzy Hash: dd6e9e57813915ec685059f80ef659553f0538b384ab4ef51442ca161e12b49f
Instruction Fuzzy Hash: 4A51AFB1A18204ABDB209B24CC96BB733B4EF95768F184958F985CB291F375DC05C772

Function 00D51860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 37a70d1aed8cf1cbd827af792a02505b3c562d97183c1edda53898ae24e52e3e
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 7B61D339609301ABDB15CE2CC58071FBBE2ABC5352F68C92DFCD98B251D270DD4A9B51

Function 00D582D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16ecf42b323420af2d94eb1847f8ac8f06a77b028e05b359dd16333018fbc8c
Instruction ID: 0ba104980703e1ce8ee580dd42fabbfd481658d201207c8df0dfd40dbccd287a
Opcode Fuzzy Hash: d16ecf42b323420af2d94eb1847f8ac8f06a77b028e05b359dd16333018fbc8c
Instruction Fuzzy Hash: BB613923A5AA904BD714453D5C453AAAA831BD2332F3DC365DCF2EB3E4DD6988096371

Function 00D342FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06fcf645b64630cb97012e26f5b9b4cd6e1bfe04197a18c75a4eb7d4f5285b1
Instruction ID: 6fb966f82eb245dbca12a1719d710f562bec3abdda6ff87b23ab827e8672a7dd
Opcode Fuzzy Hash: a06fcf645b64630cb97012e26f5b9b4cd6e1bfe04197a18c75a4eb7d4f5285b1
Instruction Fuzzy Hash: B781EFB4810B00AFD360EF39D947757BEF4AB06201F504A1DE8EA96694E730A419CBE2

Function 00E27531 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ea7e3432affd3fbf2626862987c97c15b7bc33829d5438cfb27a3490051f1f
Instruction ID: 98a6907c237362e74c75403f0325947e8844daf6e146beefb44ba048788b5c5b
Opcode Fuzzy Hash: 91ea7e3432affd3fbf2626862987c97c15b7bc33829d5438cfb27a3490051f1f
Instruction Fuzzy Hash: 5D6106F3A183009BE3046E29DDC176AF7E6EFD4320F1B8A3DEAC847344E97548058656

Function 00E98C03 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a137d18d96692d45fde8e16e57b522d9eb91eb8a73444adf9420974a9e40cbe9
Instruction ID: 3e2248b5879f9f0b3d15052bf3d37797e815b371f9ff387d83df529a8f3ec054
Opcode Fuzzy Hash: a137d18d96692d45fde8e16e57b522d9eb91eb8a73444adf9420974a9e40cbe9
Instruction Fuzzy Hash: FB513EF3A182048FE704AE2DDC9533BB7DAEFD4710F1A813D9B9587780E97999058386

Function 00E1B18D Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69157a9a62cf7f2b26de45f2b62ef4c03f816e59d82840007e711afed1d9e6d1
Instruction ID: 946a1efd8151b9bb22f272c5063be79b0d2e23d33b26223859ebe80c96cb9d04
Opcode Fuzzy Hash: 69157a9a62cf7f2b26de45f2b62ef4c03f816e59d82840007e711afed1d9e6d1
Instruction Fuzzy Hash: 235135F3F182145BF304693CEC9576A7696E794360F1B423DEA8597BC8E9398C0443C5

Function 00D5E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 205b5c962435e14067ef3fe32ce1eb300b8e5e5137a343c80c0a455dbe4d56e8
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: DE515AB16087548FE714DF69D49435BBBE1BB85318F044A2DE8E987350E379DA088B92

Function 00F8BCAC Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaff0cdb2a3a2d5df13c1636a7fef0beddafac6473a3f06bb9c0101411f562e6
Instruction ID: 581dea53b3521399170f37f7d12fdd945a0fed87e0af098132e1780c6ec4c7d6
Opcode Fuzzy Hash: eaff0cdb2a3a2d5df13c1636a7fef0beddafac6473a3f06bb9c0101411f562e6
Instruction Fuzzy Hash: 8851D3B351C705EFD309BE29CC816BAB7E6EB84310F25892DE6C686714DB305841BB57

Function 00ED0326 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fc5521b6d553d75060b08531e3d3eb8f4fee7d4e038ea2e920740c4050f27f
Instruction ID: eb69c43ad570a77692393ad6bb773e3ae5d18fe6c35409c7d1a41a6de8f6a634
Opcode Fuzzy Hash: 97fc5521b6d553d75060b08531e3d3eb8f4fee7d4e038ea2e920740c4050f27f
Instruction Fuzzy Hash: 88516AF3E082105FE7089A6DDC9536AB7D5EB84760F1A453CEE89D7784E83A5C0482D6

Function 00D67520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bca66bb3afa57fe4e281ad5b606660449b14dc166010ed935ef8d6595d0774c
Instruction ID: 9b91911745f4d9514b5c6068017dcaf07a694367e5fd00a2e32dd219917360db
Opcode Fuzzy Hash: 8bca66bb3afa57fe4e281ad5b606660449b14dc166010ed935ef8d6595d0774c
Instruction Fuzzy Hash: 2151E57160C304ABC7159E1CDC90B2EB7E6EB85758F288A2CE9D997391D631EC1087B2

Function 00EE9A49 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8680f6287d6f8eacabbc1c63d911d5e6bdc706eddac7cae43cb28aaef916c8
Instruction ID: ddcb5a5ba2900ffb3d138fed412e3c6f25b8a1d5f87c76dfe6ebc95152bb29bc
Opcode Fuzzy Hash: dd8680f6287d6f8eacabbc1c63d911d5e6bdc706eddac7cae43cb28aaef916c8
Instruction Fuzzy Hash: B45146B3F086245BF3185829DC5577BB7C6DB94320F2B023DEA9AD3780EDB95C014286

Function 00D25A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643b170837459a0b753270c3150f833930e46c1910730620976ba8ab43c65764
Instruction ID: 0c4bdcc130df444c44972228c8f358dd4b799b14779cd627ff95208a3cd1386b
Opcode Fuzzy Hash: 643b170837459a0b753270c3150f833930e46c1910730620976ba8ab43c65764
Instruction Fuzzy Hash: 7D51D475A047249FC714DF14F881D2AB7A1FFA9328F19466CE8958B352D631EC42CBB2

Function 00D4EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e362624985843d6dac0bbc587130788d174de6b1cae82637c08c85c2026ca8
Instruction ID: a58b37529464b58f1e64ea8387647c60b6552c74556ebc6c0d5309a8724b73ed
Opcode Fuzzy Hash: 46e362624985843d6dac0bbc587130788d174de6b1cae82637c08c85c2026ca8
Instruction Fuzzy Hash: 27416078D00315DBDF208F58DC91BADB7B1FF0A340F184548E955AB391EB38A951CBA1

Function 00D69B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ce01edc953d9fa8aa25297569ec70eba434592adf88739bd97e95395d30488
Instruction ID: 91134bb8b15d5f09c54e5f0237d402ca50081ad060134a70050726adda67b46d
Opcode Fuzzy Hash: 23ce01edc953d9fa8aa25297569ec70eba434592adf88739bd97e95395d30488
Instruction Fuzzy Hash: A3419D74608300ABDB14DB19E9A0B2BF7EAEB85710F19882CF58997251D371E851CB72

Function 00F6B91D Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1268f385976727a1bc0f984650c034a0645f68f4021cc1726e96bfd75fdd0f
Instruction ID: d47315557aff978821ef5f5296b067d1a5999a4502a6575873c0095da0d375d0
Opcode Fuzzy Hash: 5d1268f385976727a1bc0f984650c034a0645f68f4021cc1726e96bfd75fdd0f
Instruction Fuzzy Hash: 044194F290C2149FE708BF28EC9567ABBE5EF58350F16092DEAC987340E63558508B87

Function 00D32030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0ad7dad90a22b574e1b8b59f45efd790ca6bdde5e3e09c6eb74e2020bb221b
Instruction ID: 39f4e4ef311a352ceca45ef378859df4d020df4b63912882c7b0db94b45e7f3a
Opcode Fuzzy Hash: fc0ad7dad90a22b574e1b8b59f45efd790ca6bdde5e3e09c6eb74e2020bb221b
Instruction Fuzzy Hash: D041E772A183654FD35CCE29849023ABBE2AFC5300F09866EE4D6873D4DAB58945D791

Function 00D31E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6db8fa7af8c5f96912a638efd9e354c23462913091c4f08e7343f9da2617e9
Instruction ID: 1ed6b69c451bd13733a2fdb6130f3e7a4b5a440c571b36b440bfaeba680c4ff1
Opcode Fuzzy Hash: 8f6db8fa7af8c5f96912a638efd9e354c23462913091c4f08e7343f9da2617e9
Instruction Fuzzy Hash: B841FF755083809BD321AB58C884B2EFBF5FB86355F184D1CF6C497292C376E8148F66

Function 00D68D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113b3eed2a33abedff2817ba8e2a3a2bc375be92ca64c3a87d7757c9f267a0f2
Instruction ID: 73b1eca36c6fed60ccfea795db714c2c2af6f5471905dca0e7b7bd4b59d1090e
Opcode Fuzzy Hash: 113b3eed2a33abedff2817ba8e2a3a2bc375be92ca64c3a87d7757c9f267a0f2
Instruction Fuzzy Hash: 9041BF3160D2508FC704DF68C49052EFBE6AF99300F1A8A2DD4D5E72A1DB75DD058BA2

Function 00D3D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35471f1a303ae7386621fd7579070a36cbbf9574e1d03802b44e7d45ab11b232
Instruction ID: 2895284409961bca6475ded41a1b97e8e3b23a95f72120f27e0c7606a206dfb7
Opcode Fuzzy Hash: 35471f1a303ae7386621fd7579070a36cbbf9574e1d03802b44e7d45ab11b232
Instruction Fuzzy Hash: 70416AB1548391CBD7309F14D845BABB7B1FFA6364F080959E48A8B791E7744940CBB3

Function 00D5F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: e0c673756cdef079a08aae2bb6036e3993d6f474faa661db7a4106a75e09623f
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: F621DA3290821457C7249B5DC48163BF7E5EB99706F0A863EEDC49B295E335DC1487F1

Function 00D667EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4211bf260cff50676651c01b26f76edb14fa45941b104fcffd35da468e4a42fd
Instruction ID: 9cb6c2f9482ef50f1a54ef484d460fd934c397ad84aedd28980ea5a51d9725c4
Opcode Fuzzy Hash: 4211bf260cff50676651c01b26f76edb14fa45941b104fcffd35da468e4a42fd
Instruction Fuzzy Hash: C83104705183829BD714CF14C49066FBBF0EF96788F54590DF4C8AB261D338D985CBAA

Function 00D45E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d475fdb1f1cb80c7ba7bcc54211b51062aaaf16c3c40b6d94f656647c20048e
Instruction ID: 7fee0658111df1f655cf44b1496b5e867baa63ad3ff63b9b13d3a89a1394900d
Opcode Fuzzy Hash: 4d475fdb1f1cb80c7ba7bcc54211b51062aaaf16c3c40b6d94f656647c20048e
Instruction Fuzzy Hash: 7C21AE705082019BC310AF28D85192BBBF8EF96764F488918F4D99B296E335CA04CBB3

Function 00D249A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 420ac30c06751724b3074a8ef21eacf35979e522369a0e885c52d39991c06916
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 8B31D8316582209BD7109E18E881A2BB7E1EF9435CF1C992DECDA87241D235DC42CFA6

Function 00D664B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5106ca08ac2cd86b497463175709433f7c861325722a1a91bf1d5667924b5c9b
Instruction ID: c34f3fb34b83bfe432f3d9b3f0c5e20a8e16fb7e17abcf39895ea5a600f5a6ff
Opcode Fuzzy Hash: 5106ca08ac2cd86b497463175709433f7c861325722a1a91bf1d5667924b5c9b
Instruction Fuzzy Hash: DE21367060C2409BC708EF19E580A2EFBF6EB95745F28881CE4C993365DB35E890CB72

Function 00D65700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15302dcaae3c258b3ca8ff2c97c2081a2c7b465999557dc6e4b86b9de488c9c
Instruction ID: 86f2f4826a695ffa5f4d0e7eac811668312d4c3db57ecc6c2ddc67bc9a2bb3ac
Opcode Fuzzy Hash: d15302dcaae3c258b3ca8ff2c97c2081a2c7b465999557dc6e4b86b9de488c9c
Instruction Fuzzy Hash: 2B118C71918280EBC301AF28E840A1FBBF5EF86710F058828E4C8DB311D335D951DBB2

Function 00D5B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 764b503c49a3bb63c01bbd90ec005e4d017088fe04e81cd24d8a69505996ea01
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1A118633A051D44EC7168D3C8440565BFE31AA3636B5D439AFCB49F2D2D7228D8E8365

Function 00D50B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: 2bf43bba7b6b1a8f1a8a4c32e934186740ae17a9fd81e2af71982c069250668a
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: AB0171F5A1030247EF209E54A4D1B3BB6B8AF9571DF1C452CED0657202DB75EC09C6B2

Function 00D4D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0291b5f11c0cd3ca48afd949b4844b69f528004c4df2b3cd92c81f42a8e97f95
Instruction ID: 2e5788f836aa15e5d3ef6b7ae3ff8b0f7ab077ecf65e3486848e4a23671b54db
Opcode Fuzzy Hash: 0291b5f11c0cd3ca48afd949b4844b69f528004c4df2b3cd92c81f42a8e97f95
Instruction Fuzzy Hash: 6511DDB0408380AFD3109F658484A1FFBE5EBA6714F148C0DF5A49B251C375D819CB66

Function 00D26EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4deee3ee665c69185e230c22560505673e09307dc33c6fb5d30545ea64683c5f
Instruction ID: f39414054ba2fa9769025531417f13a3d5a87feeb6cf18ef637c474c66663186
Opcode Fuzzy Hash: 4deee3ee665c69185e230c22560505673e09307dc33c6fb5d30545ea64683c5f
Instruction Fuzzy Hash: 8EF0BB3B7193190BA610CDAAB884837B396DBD5369B195539EA41D3205DD71E80551B0

Function 00D5B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00D3C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00D3B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 7cb2c6581539186cc3ce8089e8252a70f7ff1c02a50ffa39503acfe70a77cce7
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 23F0A7B1A0451457DB228A589C80B37BB9CCB86368F190427E98557103D2615845C3F9

Function 00D58220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ebdc153385eea7acb3f0c312b383d7751eea8dbd2ba255538ecbffe416e91c
Instruction ID: 90456020635629a19dd118ecc86d842fdc209fe277089e177b0a67a6e8d26b61
Opcode Fuzzy Hash: 56ebdc153385eea7acb3f0c312b383d7751eea8dbd2ba255538ecbffe416e91c
Instruction Fuzzy Hash: 6201E4B04107009FC360EF29C445757BBE8EB08714F404A1DE8EECB780D770A5448B92

Function 00D61440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: de0dfc759f3be4f52b51a4be62a782672552c3c81c9992d8bc8a29ce2c0c3b73
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: A8D0A735648321479F748E19A410977F7F0EAC7B51F4D955EF586E3148D630EC41C2B9

Function 00D31ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b10fa18cbaf0da361687faa1ce9c0284b3f68711195b47e587516483787275d
Instruction ID: 7c4e2ae5d37de240402b279c2af56ebf96e1e5838501b38aee387a7770eb67be
Opcode Fuzzy Hash: 6b10fa18cbaf0da361687faa1ce9c0284b3f68711195b47e587516483787275d
Instruction Fuzzy Hash: 63C01239A182018B82048F01FC99432A2B8A30A209B40602ADA02E3B21DAA0E4029939

Function 00D66094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730d167bd631d2320d48fd59b87ebf0382c57bcbd309c347aef4c2f4e2dc1c53
Instruction ID: 7119e83c6e0ac69d0702073725ed6b52340e3e19545d5f8e031efe0c5a970877
Opcode Fuzzy Hash: 730d167bd631d2320d48fd59b87ebf0382c57bcbd309c347aef4c2f4e2dc1c53
Instruction Fuzzy Hash: 4FC09B3465C100C7D30CCF04E951475F3769F97714B24B11DC84A63355D134D556A53C

Function 00D31A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b842267c6565933e1c7d6af360b1a20d8ce3c19c753c16031f32a7b89af72b82
Instruction ID: 7e072ce0e66d088f3f39827d3414bee5794bbc9f19439df57a1bc4f7b1bbeb35
Opcode Fuzzy Hash: b842267c6565933e1c7d6af360b1a20d8ce3c19c753c16031f32a7b89af72b82
Instruction Fuzzy Hash: 07C09B35A5D645CBC244CF86FCD1431A3FC9307209B10303AD743F7761C9A0E4058539

Function 00D65FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2302637524.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000001.00000002.2302611539.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000000FE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2302721273.0000000001024000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303367671.0000000001025000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303551198.00000000011BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2303580535.00000000011BB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8f1a42d685cef74a82aec2c2e0da8989999a007df702d7b1692fd4cd39ec3c
Instruction ID: 330a40181580ea788933dc4e9d682301ddfd50d105dd1bba7b5bce07f0d0510d
Opcode Fuzzy Hash: 1d8f1a42d685cef74a82aec2c2e0da8989999a007df702d7b1692fd4cd39ec3c
Instruction Fuzzy Hash: DEC09224B682008BE34CCF18DD51935F2BA9B8BA18B14B02DC84AE3356E134D552962C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 00D650FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 00D2FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00D2D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00D65BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00D6695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00D3049B Relevance: .3, Instructions: 264
COMMON

Function 00D30228 Relevance: .2, Instructions: 218
COMMON

Function 00D63220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00D63202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON