Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528271
MD5:	d9db4d0437a7307c4fd0f8b3f7bab2c6
SHA1:	df7705a0c061e1820e394a0b4c4ac13a7d9fd518
SHA256:	6c2d273d3f9a9f5589a2ebd49d862833abeecf0b76f5f6c770ae2cf14dc7a81a
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D9DB4D0437A7307C4FD0F8B3F7BAB2C6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["mobbipenju.stor", "bathdoomgaz.stor", "eaglepawnoy.stor", "studennotediw.stor", "spirittunek.stor", "licendfilteo.site", "dissapoiznw.stor", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:23.031218+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.206.204	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:23.031218+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49731	172.67.206.204	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.688959+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.4	49954	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.603340+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.4	54891	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.658950+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.4	56247	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.648005+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.4	57363	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.712780+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.4	50028	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.624398+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.4	50633	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.701520+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.4	57848	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T18:04:20.669955+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.4	57151	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.6544.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["mobbipenju.stor", "bathdoomgaz.stor", "eaglepawnoy.stor", "studennotediw.stor", "spirittunek.stor", "licendfilteo.site", "dissapoiznw.stor", "clearancek.site"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FD50FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00F9D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00F9D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00FD63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00FD99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00FD695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00F9FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00FD6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00FD4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00FCF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00FA6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00F91000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00FBD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00FA42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00FB2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00FB2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00FC23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00FC23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00FC23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00FC23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00FC23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00FC23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00F9A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00FD64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00FBC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00FAD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00FD1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00FAB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00FBE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00FA6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00FD7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00FB9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00FBE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00FCB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00FD67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00FBD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00FD7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FD5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00FB28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00F949A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00FAD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00FD3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00FA1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00F95A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00FD4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00FA1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00FA1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00FA3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00FC0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00FADB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00FADB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00FD9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FD9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00FD9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00FBCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FBCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00FBCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00FBAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00FBAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00FBEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00FCFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00FB7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FD8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00FBDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00FBFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00FA0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00FA6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00F9BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00F96EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00FA1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FB5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00FB7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00FBAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00FA4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00FAFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00F98FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00FD5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00FD7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FD7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00FA6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00FCFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00FB9F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:50633 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:54891 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:49954 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:57363 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:57848 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:50028 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:57151 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:56247 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 172.67.206.204:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.206.204:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: mobbipenju.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: clearancek.site

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 172.67.206.204 172.67.206.204

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mobbipenju.store:443/api2
Source: file.exe, 00000000.00000002.1715790734.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000002.1715790734.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/Z4~
Source: file.exe, 00000000.00000002.1715790734.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiJ4~
Source: file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1715790734.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store:443/api:A
Source: file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA0228	0_2_00FA0228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDA0D0	0_2_00FDA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151	0_2_01171151
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0117814C	0_2_0117814C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD4040	0_2_00FD4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA2030	0_2_00FA2030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91000	0_2_00F91000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F971F0	0_2_00F971F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9E1A0	0_2_00F9E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F95160	0_2_00F95160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010F2093	0_2_010F2093
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F912F7	0_2_00F912F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010A5316	0_2_010A5316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC82D0	0_2_00FC82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC12D0	0_2_00FC12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC23E0	0_2_00FC23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9B3A0	0_2_00F9B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F913A3	0_2_00F913A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9A300	0_2_00F9A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC64F0	0_2_00FC64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA049B	0_2_00FA049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA4487	0_2_00FA4487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBC470	0_2_00FBC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAC5F0	0_2_00FAC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0116540D	0_2_0116540D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F935B0	0_2_00F935B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD86F0	0_2_00FD86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD8652	0_2_00FD8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9164F	0_2_00F9164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCF620	0_2_00FCF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112C60A	0_2_0112C60A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCB8C0	0_2_00FCB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01254966	0_2_01254966
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCE8A0	0_2_00FCE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01168995	0_2_01168995
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC1860	0_2_00FC1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0114F9CC	0_2_0114F9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD89A0	0_2_00FD89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB098B	0_2_00FB098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD7AB0	0_2_00FD7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD8A80	0_2_00FD8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD4A40	0_2_00FD4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F97BF0	0_2_00F97BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01163A04	0_2_01163A04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0116DA52	0_2_0116DA52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FADB6F	0_2_00FADB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112EAE9	0_2_0112EAE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBCCD0	0_2_00FBCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD6CBF	0_2_00FD6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0116FDB2	0_2_0116FDB2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD8C02	0_2_00FD8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01172C83	0_2_01172C83
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB8D62	0_2_00FB8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBDD29	0_2_00FBDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBFD10	0_2_00FBFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01166F0E	0_2_01166F0E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010E8F3E	0_2_010E8F3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA6EBF	0_2_00FA6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9BEB0	0_2_00F9BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD8E70	0_2_00FD8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01160F8F	0_2_01160F8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBAE57	0_2_00FBAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA4E2A	0_2_00FA4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01080FDD	0_2_01080FDD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01112FF9	0_2_01112FF9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F98FD0	0_2_00F98FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD7FC0	0_2_00FD7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C6EC6	0_2_010C6EC6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9AF10	0_2_00F9AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01045EEB	0_2_01045EEB

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FAD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F9CAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994714315181518
Source: file.exe	Static PE information: Section: aykcypxm ZLIB complexity 0.9934555607838795

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC8220 CoCreateInstance,

0_2_00FC8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 1904128 > 1048576

Source: file.exe

Static PE information: Raw size of aykcypxm is bigger than: 0x100000 < 0x1a7600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.f90000.0.unpack :EW;.rsrc :W;.idata :W; :EW;aykcypxm:EW;ubrowdje:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;aykcypxm:EW;ubrowdje:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d5772 should be: 0x1d5699

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: aykcypxm
Source: file.exe	Static PE information: section name: ubrowdje
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 56378EF1h; mov dword ptr [esp], ecx	0_2_01171165
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ebx; mov dword ptr [esp], 00000004h	0_2_01171169
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 36CDEBA2h; mov dword ptr [esp], edx	0_2_011711D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push edi; mov dword ptr [esp], eax	0_2_011711DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ecx; mov dword ptr [esp], eax	0_2_011712F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push edx; mov dword ptr [esp], ebx	0_2_0117133E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push edx; mov dword ptr [esp], eax	0_2_0117134A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push eax; mov dword ptr [esp], edi	0_2_0117135B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ebx; mov dword ptr [esp], edi	0_2_011713F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ebp; mov dword ptr [esp], esi	0_2_0117141A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 7BB994A5h; mov dword ptr [esp], ebp	0_2_0117143E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 23EB7971h; mov dword ptr [esp], ecx	0_2_01171449
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push esi; mov dword ptr [esp], edi	0_2_011714A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 493A902Eh; mov dword ptr [esp], esi	0_2_01171580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ecx; mov dword ptr [esp], 7FC5A50Dh	0_2_01171585
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push edx; mov dword ptr [esp], ebx	0_2_011715A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 2F89FFC6h; mov dword ptr [esp], edx	0_2_01171632
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push eax; mov dword ptr [esp], 11060340h	0_2_0117163F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 4B9E8014h; mov dword ptr [esp], eax	0_2_01171685
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ebx; mov dword ptr [esp], 56DA3EE8h	0_2_011716A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ecx; mov dword ptr [esp], ebx	0_2_01171783
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 5A41C830h; mov dword ptr [esp], edi	0_2_011717E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push esi; mov dword ptr [esp], ebp	0_2_0117181B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 60F39D68h; mov dword ptr [esp], edx	0_2_01171897
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push esi; mov dword ptr [esp], ecx	0_2_011718A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push edx; mov dword ptr [esp], ecx	0_2_011718D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 101279F5h; mov dword ptr [esp], ebx	0_2_011718DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 276FD3D1h; mov dword ptr [esp], ebx	0_2_0117199E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 169F3D37h; mov dword ptr [esp], ebx	0_2_011719E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push ecx; mov dword ptr [esp], edi	0_2_01171B57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01171151 push 32A1FD80h; mov dword ptr [esp], esp	0_2_01171B5F

Source: file.exe	Static PE information: section name: entropy: 7.979411071304206
Source: file.exe	Static PE information: section name: aykcypxm entropy: 7.953761297245085

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3CC6 second address: FF3CD0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1177C7E second address: 1177CA8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3F5CD29FE5h 0x0000000d popad 0x0000000e pushad 0x0000000f js 00007F3F5CD29FD8h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1177F4D second address: 1177F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jc 00007F3F5D28F31Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1177F60 second address: 1177F6F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F3F5CD29FD6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783A1 second address: 11783AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783AB second address: 1178402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5CD29FDCh 0x00000009 popad 0x0000000a pop ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F3F5CD29FE9h 0x00000012 jmp 00007F3F5CD29FE8h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a pushad 0x0000001b jnc 00007F3F5CD29FD6h 0x00000021 jc 00007F3F5CD29FD6h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B2C0 second address: 117B2F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jp 00007F3F5D28F320h 0x0000000f nop 0x00000010 mov cx, si 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+122D2A1Ah], eax 0x0000001b mov dword ptr [ebp+122D21B9h], eax 0x00000021 push 7DB3F5D4h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B2F5 second address: 117B2FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B3B8 second address: 117B3BD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B3BD second address: 117B3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnp 00007F3F5CD29FD6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B3CF second address: 117B3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F3F5D28F316h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B3E2 second address: 117B3E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B3E6 second address: 117B426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3F5D28F318h 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ebx 0x00000010 jmp 00007F3F5D28F31Eh 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3F5D28F328h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B426 second address: 117B453 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [ebp+122D2A0Ah], edi 0x00000012 lea ebx, dword ptr [ebp+1245B1A5h] 0x00000018 pushad 0x00000019 pushad 0x0000001a xor cx, 256Dh 0x0000001f or dword ptr [ebp+122D3AF2h], ecx 0x00000025 popad 0x00000026 stc 0x00000027 popad 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B52A second address: 117B5D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3F5D28F31Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 4D56D421h 0x00000011 jmp 00007F3F5D28F31Bh 0x00000016 push 00000003h 0x00000018 xor dword ptr [ebp+122D1CEFh], ebx 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F3F5D28F318h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a mov edx, dword ptr [ebp+122D2B35h] 0x00000040 call 00007F3F5D28F320h 0x00000045 mov dword ptr [ebp+122D20C9h], edi 0x0000004b pop ecx 0x0000004c push 00000003h 0x0000004e mov edx, dword ptr [ebp+122D2C11h] 0x00000054 push 546394F7h 0x00000059 push ebx 0x0000005a pushad 0x0000005b jg 00007F3F5D28F316h 0x00000061 jmp 00007F3F5D28F31Ah 0x00000066 popad 0x00000067 pop ebx 0x00000068 add dword ptr [esp], 6B9C6B09h 0x0000006f mov edi, dword ptr [ebp+122D2B35h] 0x00000075 lea ebx, dword ptr [ebp+1245B1AEh] 0x0000007b mov si, dx 0x0000007e xchg eax, ebx 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B5D5 second address: 117B5D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B5D9 second address: 117B5F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3F5D28F327h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B6A7 second address: 117B6AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B6AB second address: 117B71C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 245C1D40h 0x0000000d mov dword ptr [ebp+122D17D3h], esi 0x00000013 push 00000003h 0x00000015 mov edx, eax 0x00000017 push 00000000h 0x00000019 call 00007F3F5D28F322h 0x0000001e and edi, dword ptr [ebp+122D2AC1h] 0x00000024 pop edi 0x00000025 push 00000003h 0x00000027 call 00007F3F5D28F326h 0x0000002c pushad 0x0000002d add ecx, dword ptr [ebp+122D2C29h] 0x00000033 popad 0x00000034 pop ecx 0x00000035 call 00007F3F5D28F319h 0x0000003a je 00007F3F5D28F31Ah 0x00000040 push eax 0x00000041 jl 00007F3F5D28F324h 0x00000047 push eax 0x00000048 push edx 0x00000049 push edi 0x0000004a pop edi 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B71C second address: 117B720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B720 second address: 117B7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jne 00007F3F5D28F31Ah 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 mov eax, dword ptr [eax] 0x00000016 jl 00007F3F5D28F322h 0x0000001c jng 00007F3F5D28F31Ch 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 jbe 00007F3F5D28F326h 0x0000002c pop eax 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F3F5D28F318h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 jno 00007F3F5D28F317h 0x0000004d lea ebx, dword ptr [ebp+1245B1B9h] 0x00000053 mov dword ptr [ebp+122D21C1h], esi 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d js 00007F3F5D28F316h 0x00000063 jmp 00007F3F5D28F323h 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B7B4 second address: 117B7BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B33A second address: 119B34D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3F5D28F31Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B34D second address: 119B35F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5CD29FDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B35F second address: 119B395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3F5D28F325h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007F3F5D28F318h 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007F3F5D28F316h 0x0000001e jp 00007F3F5D28F316h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B395 second address: 119B399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B399 second address: 119B3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F323h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3F5D28F325h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11684BC second address: 11684D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11684D4 second address: 11684E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F3F5D28F316h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11684E3 second address: 11684E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11684E7 second address: 11684EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11993A6 second address: 11993BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F3F5CD29FDBh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11993BD second address: 11993C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199523 second address: 119952F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119952F second address: 1199535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199535 second address: 1199539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11997E4 second address: 11997E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11997E8 second address: 119980C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3F5CD29FD6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e jl 00007F3F5CD29FDEh 0x00000014 jnp 00007F3F5CD29FD6h 0x0000001a push eax 0x0000001b pop eax 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 pop esi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119980C second address: 119984F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F31Eh 0x00000007 jnl 00007F3F5D28F316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jmp 00007F3F5D28F31Bh 0x00000017 jmp 00007F3F5D28F326h 0x0000001c jne 00007F3F5D28F316h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119984F second address: 1199868 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FE4h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11999B7 second address: 11999BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11999BB second address: 11999BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199E57 second address: 1199E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199E5D second address: 1199E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199E61 second address: 1199E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199E65 second address: 1199E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199E6F second address: 1199E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199E73 second address: 1199E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119A302 second address: 119A30F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119AAF1 second address: 119AAFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3F5CD29FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119AC3F second address: 119AC45 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A2EA3 second address: 11A2EA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A6277 second address: 11A628A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F31Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5886 second address: 11A58CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FDEh 0x00000007 jmp 00007F3F5CD29FE3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F3F5CD29FDEh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3F5CD29FE3h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A58CF second address: 11A58F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F3F5D28F31Eh 0x0000000a jl 00007F3F5D28F316h 0x00000010 jng 00007F3F5D28F316h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5D84 second address: 11A5D9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3F5CD29FDBh 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5D9F second address: 11A5DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5F36 second address: 11A5F54 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 je 00007F3F5CD29FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F3F5CD29FDDh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5F54 second address: 11A5F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C1F second address: 1170C27 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C27 second address: 1170C2C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C2C second address: 1170C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F3F5CD29FDCh 0x00000011 jo 00007F3F5CD29FDCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C4B second address: 1170C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AADEF second address: 11AADF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AADF3 second address: 11AADF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AB94A second address: 11AB95C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3F5CD29FD8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ABC44 second address: 11ABC4E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC4F9 second address: 11AC503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3F5CD29FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1164FB4 second address: 1164FCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F31Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1164FCA second address: 1164FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B0056 second address: 11B005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFDAB second address: 11AFDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3F5CD29FD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFDB6 second address: 11AFDBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B0AFC second address: 11B0B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov si, BAE7h 0x0000000d push 00000000h 0x0000000f mov esi, dword ptr [ebp+122D3B76h] 0x00000015 push 00000000h 0x00000017 and di, 0D33h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 jp 00007F3F5CD29FD6h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AFDBC second address: 11AFDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B29BF second address: 11B2A38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F3F5CD29FE7h 0x00000010 jg 00007F3F5CD29FDCh 0x00000016 popad 0x00000017 nop 0x00000018 push esi 0x00000019 adc esi, 227E0EF6h 0x0000001f pop edi 0x00000020 push 00000000h 0x00000022 mov di, ax 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F3F5CD29FD8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 add edi, 432D423Dh 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a push edx 0x0000004b push eax 0x0000004c pop eax 0x0000004d pop edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B2A38 second address: 11B2A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3F5D28F316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B2A42 second address: 11B2A6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F3F5CD29FD6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4459 second address: 11B448C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3F5D28F329h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3F5D28F31Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9240 second address: 11B9275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F5CD29FE7h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3F5CD29FE4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB428 second address: 11BB42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB42C second address: 11BB436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3F5CD29FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB436 second address: 11BB4FF instructions: 0x00000000 rdtsc 0x00000002 je 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F3F5D28F326h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F3F5D28F318h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov ebx, dword ptr [ebp+122D238Ah] 0x00000033 call 00007F3F5D28F329h 0x00000038 add ebx, dword ptr [ebp+122D5889h] 0x0000003e pop edi 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push edi 0x00000044 call 00007F3F5D28F318h 0x00000049 pop edi 0x0000004a mov dword ptr [esp+04h], edi 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc edi 0x00000057 push edi 0x00000058 ret 0x00000059 pop edi 0x0000005a ret 0x0000005b push 00000000h 0x0000005d call 00007F3F5D28F325h 0x00000062 and bx, 16CDh 0x00000067 pop edi 0x00000068 xchg eax, esi 0x00000069 jnc 00007F3F5D28F320h 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jnl 00007F3F5D28F316h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB4FF second address: 11BB509 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB509 second address: 11BB514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F3F5D28F316h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B5CEF second address: 11B5CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B941D second address: 11B9433 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9433 second address: 11B943E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F3F5CD29FD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDDC5 second address: 11BDDCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B943E second address: 11B9456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3F5CD29FDCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDDCA second address: 11BDE2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F3F5D28F318h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 cld 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F3F5D28F318h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 ja 00007F3F5D28F316h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9456 second address: 11B945A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDE2A second address: 11BDE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B945A second address: 11B9460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDE2E second address: 11BDE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDE38 second address: 11BDE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDE3C second address: 11BDE40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDF9F second address: 11BDFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3F5CD29FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1169FDB second address: 1169FFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F326h 0x00000007 je 00007F3F5D28F31Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1169FFB second address: 116A006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A006 second address: 116A00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A00A second address: 116A014 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3F5CD29FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C5DBA second address: 11C5DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6C8C second address: 11C6CED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push edi 0x0000000e jng 00007F3F5CD29FDCh 0x00000014 mov dword ptr [ebp+122D3B1Ch], esi 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d jmp 00007F3F5CD29FE3h 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007F3F5CD29FD8h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 00000015h 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e pushad 0x0000003f pushad 0x00000040 pushad 0x00000041 popad 0x00000042 mov ax, 9551h 0x00000046 popad 0x00000047 mov esi, edx 0x00000049 popad 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6CED second address: 11C6D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F3F5D28F31Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7B6D second address: 11C7B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7B71 second address: 11C7B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3F5D28F31Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C7B84 second address: 11C7B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6E23 second address: 11C6E97 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e and bx, A005h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov dword ptr [ebp+122D3327h], ebx 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 sub edi, dword ptr [ebp+122D3327h] 0x0000002d mov eax, dword ptr [ebp+122D04C5h] 0x00000033 sub dword ptr [ebp+122D1FABh], esi 0x00000039 push FFFFFFFFh 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007F3F5D28F318h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 push eax 0x00000056 pushad 0x00000057 jmp 00007F3F5D28F31Fh 0x0000005c push eax 0x0000005d push edx 0x0000005e push esi 0x0000005f pop esi 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D2185 second address: 11D218F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D218F second address: 11D2195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7D28 second address: 11D7D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F5CD29FE8h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7D50 second address: 11D7D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7F02 second address: 11D7F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DDC42 second address: 11DDC46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DCA48 second address: 11DCA51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD063 second address: 11DD069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD069 second address: 11DD071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD19B second address: 11DD1AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F5D28F31Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD1AE second address: 11DD1C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5CD29FE1h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD1C5 second address: 11DD1C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD1C9 second address: 11DD1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD310 second address: 11DD31A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F3F5D28F316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD31A second address: 11DD31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD442 second address: 11DD45D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F5D28F31Dh 0x0000000b push eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD45D second address: 11DD461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD59A second address: 11DD59E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DDAD3 second address: 11DDAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F0F4 second address: 116F0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3F5D28F316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E228E second address: 11E22A7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3F5CD29FDFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E1184 second address: 11E1188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7FD8 second address: 11A7FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3F5CD29FE8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8604 second address: 11A860E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A860E second address: 11A8628 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F3F5CD29FD6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jnc 00007F3F5CD29FD6h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8628 second address: 11A862D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8887 second address: 11A88A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3F5CD29FE9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8AA6 second address: 11A8AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8AAA second address: 11A8AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8AB4 second address: 11A8AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c jl 00007F3F5D28F31Ch 0x00000012 jnl 00007F3F5D28F316h 0x00000018 pop ecx 0x00000019 nop 0x0000001a jmp 00007F3F5D28F31Eh 0x0000001f mov edx, dword ptr [ebp+122D2C61h] 0x00000025 push 00000004h 0x00000027 mov cx, dx 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F3F5D28F31Ah 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8AFA second address: 11A8B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F3F5CD29FD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3F5CD29FE2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A90DF second address: 11A90E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A9367 second address: 11A938E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dh, 68h 0x0000000d lea eax, dword ptr [ebp+12487D1Bh] 0x00000013 push ecx 0x00000014 sbb ch, 00000063h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F3F5CD29FDCh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118F1D0 second address: 118F1DC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3F5D28F31Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115FFF3 second address: 1160001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5CD29FDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160001 second address: 1160038 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3F5D28F326h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160038 second address: 116004F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116004F second address: 1160059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160059 second address: 1160070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jnp 00007F3F5CD29FD6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E155E second address: 11E1579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F31Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F3F5D28F316h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E1824 second address: 11E1828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E1828 second address: 11E182C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E182C second address: 11E1852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3F5CD29FF4h 0x0000000c jmp 00007F3F5CD29FE8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E19C9 second address: 11E19E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5D28F31Dh 0x00000009 jmp 00007F3F5D28F31Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E19E7 second address: 11E1A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F5CD29FE6h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F3F5CD29FDEh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E1A15 second address: 11E1A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F3F5D28F321h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E1E5C second address: 11E1E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E1E60 second address: 11E1E66 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E1E66 second address: 11E1E72 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3F5CD29FDEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E55E3 second address: 11E55E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E55E7 second address: 11E5609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3F5CD29FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3F5CD29FE6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5609 second address: 11E5614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F3F5D28F316h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5614 second address: 11E561A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA593 second address: 11EA5A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F3F5D28F31Eh 0x0000000b je 00007F3F5D28F316h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA710 second address: 11EA730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F3F5CD29FDEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA730 second address: 11EA73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jg 00007F3F5D28F31Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F13EF second address: 11F13FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FDAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EFF4C second address: 11EFF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F04FB second address: 11F04FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F07DC second address: 11F07F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F329h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F07F9 second address: 11F0809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F3F5CD29FD6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F0997 second address: 11F099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EFCAB second address: 11EFCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F68BD second address: 11F68C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F3F5D28F316h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F68C9 second address: 11F68CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F68CD second address: 11F68D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F983E second address: 11F985D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F3F5CD29FE8h 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F92E8 second address: 11F92ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F92ED second address: 11F92F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F92F5 second address: 11F932E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F3F5D28F321h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jnp 00007F3F5D28F351h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3F5D28F329h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F95C6 second address: 11F95CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FBD25 second address: 11FBD29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FBD29 second address: 11FBD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a js 00007F3F5CD29FD6h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FBD3A second address: 11FBD44 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3F5D28F322h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FBD44 second address: 11FBD4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FBA29 second address: 11FBA2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FBA2D second address: 11FBA31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8D76 second address: 11A8D80 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8D80 second address: 11A8D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5CD29FE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8D9D second address: 11A8DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8DA1 second address: 11A8E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jnl 00007F3F5CD29FEBh 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F3F5CD29FD8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D2C5Dh] 0x00000033 and edx, dword ptr [ebp+122D2AA9h] 0x00000039 nop 0x0000003a push ecx 0x0000003b pushad 0x0000003c jng 00007F3F5CD29FD6h 0x00000042 push esi 0x00000043 pop esi 0x00000044 popad 0x00000045 pop ecx 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8E05 second address: 11A8E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F31Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8E1B second address: 11A8E1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206E83 second address: 1206E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F321h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206E98 second address: 1206E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206E9E second address: 1206EAD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206EAD second address: 1206ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3F5CD29FE8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206ECE second address: 1206EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007F3F5D28F316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206050 second address: 1206054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206054 second address: 1206062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206062 second address: 1206068 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206068 second address: 1206079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206079 second address: 1206081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206081 second address: 1206089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206089 second address: 120608F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120608F second address: 1206098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206210 second address: 120621E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120621E second address: 1206224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12063A0 second address: 12063A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12063A6 second address: 12063B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12063B2 second address: 12063B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206514 second address: 120651E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12066E7 second address: 1206712 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3F5CD29FE2h 0x00000013 jmp 00007F3F5CD29FDBh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206712 second address: 1206718 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206718 second address: 1206722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206722 second address: 1206734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12068B8 second address: 12068BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12068BC second address: 12068C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12069FD second address: 1206A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206A03 second address: 1206A12 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206A12 second address: 1206A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5CD29FE0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1209C94 second address: 1209CA1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1209CA1 second address: 1209CAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12119C5 second address: 12119DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3F5D28F322h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F74D second address: 120F754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F754 second address: 120F75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F75A second address: 120F776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F3F5CD29FE0h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F8CD second address: 120F8E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3F5D28F326h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F8E9 second address: 120F8F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3F5CD29FD6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120FD7A second address: 120FD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120FD80 second address: 120FD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120FD84 second address: 120FD8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12100E1 second address: 12100FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F3F5CD29FE4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12100FE second address: 121010E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jp 00007F3F5D28F316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121010E second address: 1210114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1210409 second address: 1210431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3F5D28F316h 0x00000009 jmp 00007F3F5D28F327h 0x0000000e jbe 00007F3F5D28F316h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1210431 second address: 121044E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F3F5CD29FDCh 0x0000000f jng 00007F3F5CD29FD8h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121044E second address: 1210459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F3F5D28F316h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1210DC6 second address: 1210E13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FE8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F3F5CD29FDFh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3F5CD29FDEh 0x0000001c jmp 00007F3F5CD29FDBh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12110C0 second address: 12110CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12110CA second address: 12110DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5CD29FE1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211420 second address: 1211424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12171C9 second address: 12171F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F5CD29FE6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F3F5CD29FD8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12171F0 second address: 1217209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5D28F325h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1217209 second address: 121720F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121720F second address: 121722F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3F5D28F328h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121B0F4 second address: 121B12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5CD29FE7h 0x00000009 popad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f push edx 0x00000010 pushad 0x00000011 jng 00007F3F5CD29FD6h 0x00000017 jng 00007F3F5CD29FD6h 0x0000001d jnp 00007F3F5CD29FD6h 0x00000023 popad 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121A2BE second address: 121A2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F3F5D28F31Ch 0x0000000d jo 00007F3F5D28F316h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121A3F2 second address: 121A437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F3F5CD29FDEh 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pushad 0x0000000d jnp 00007F3F5CD29FEBh 0x00000013 push eax 0x00000014 jmp 00007F3F5CD29FE1h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121A59F second address: 121A5A9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3F5D28F31Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121ADDE second address: 121ADF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3F5CD29FDAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122485B second address: 1224873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F5D28F31Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1224873 second address: 1224877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1224877 second address: 122487B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12229E1 second address: 12229F5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F3F5CD29FDEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12229F5 second address: 12229FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12229FE second address: 1222A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1222A04 second address: 1222A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1222BAC second address: 1222BB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1222BB4 second address: 1222BC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a je 00007F3F5D28F316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223005 second address: 122301D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 js 00007F3F5CD29FD6h 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F3F5CD29FD6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223158 second address: 122315E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122315E second address: 1223162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223162 second address: 122317C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F3F5D28F316h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122317C second address: 1223186 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3F5CD29FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223186 second address: 1223199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F3F5D28F33Fh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223199 second address: 12231B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3F5CD29FE1h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12231B3 second address: 12231B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12235E8 second address: 12235F2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3F5CD29FD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223727 second address: 122372F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12246E6 second address: 12246FC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F3F5CD29FDCh 0x00000010 jp 00007F3F5CD29FD6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12246FC second address: 122470F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F31Eh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12288F3 second address: 12288FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12288FC second address: 1228900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122B9B4 second address: 122B9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122B9BA second address: 122B9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122B9BE second address: 122B9C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A7D9 second address: 123A7E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A7E4 second address: 123A7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3F5CD29FE0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A7FF second address: 123A809 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123A809 second address: 123A825 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3F5CD29FD6h 0x00000009 jmp 00007F3F5CD29FE1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245213 second address: 1245218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1245218 second address: 124521D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12499CE second address: 12499F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F3F5D28F327h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12499F3 second address: 12499FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F3F5CD29FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254649 second address: 125465D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3F5D28F31Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F3F5D28F316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125465D second address: 125466B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FDAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125466B second address: 1254682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3F5D28F31Ah 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1252E45 second address: 1252E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1252E49 second address: 1252E59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jc 00007F3F5D28F31Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12532A7 second address: 12532B1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3F5CD29FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12532B1 second address: 12532BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3F5D28F316h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1253410 second address: 1253414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125355E second address: 1253594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F326h 0x00000009 popad 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jno 00007F3F5D28F316h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d jp 00007F3F5D28F316h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125385A second address: 1253870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1253870 second address: 125387C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3F5D28F316h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125387C second address: 125389A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jc 00007F3F5CD29FE3h 0x0000000d jmp 00007F3F5CD29FDDh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254319 second address: 1254323 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3F5D28F316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254323 second address: 1254338 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d ja 00007F3F5CD29FD6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254338 second address: 1254340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254340 second address: 125434C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3F5CD29FD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125434C second address: 1254365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F324h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254365 second address: 125437B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5CD29FE0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1259628 second address: 125962C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12597A6 second address: 12597AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125B007 second address: 125B04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F5D28F31Eh 0x00000009 popad 0x0000000a push edx 0x0000000b jmp 00007F3F5D28F31Dh 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop edx 0x00000013 push esi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 jnc 00007F3F5D28F318h 0x0000001f pushad 0x00000020 push edi 0x00000021 pop edi 0x00000022 jne 00007F3F5D28F316h 0x00000028 jl 00007F3F5D28F316h 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125E1A7 second address: 125E1B6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3F5CD29FD6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125E1B6 second address: 125E1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126A54C second address: 126A578 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3F5CD29FD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3F5CD29FE7h 0x00000012 js 00007F3F5CD29FD6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126A578 second address: 126A5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F3F5D28F32Dh 0x0000000f jc 00007F3F5D28F316h 0x00000015 jmp 00007F3F5D28F321h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12670BA second address: 12670BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12670BE second address: 12670CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F3F5D28F318h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A1D4 second address: 127A1ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F3F5CD29FDEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jl 00007F3F5CD29FD6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A1ED second address: 127A1F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A1F3 second address: 127A215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F3F5CD29FEDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A215 second address: 127A226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F31Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A226 second address: 127A22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A22A second address: 127A22E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127CF55 second address: 127CF66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127CF66 second address: 127CF6B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127CB6C second address: 127CB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127CB72 second address: 127CB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12969C1 second address: 12969DE instructions: 0x00000000 rdtsc 0x00000002 je 00007F3F5CD29FE7h 0x00000008 jmp 00007F3F5CD29FE1h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12969DE second address: 12969E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296CE5 second address: 1296CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296CE9 second address: 1296CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1296CED second address: 1296D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3F5CD29FE7h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12989C5 second address: 12989CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12989CF second address: 12989D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12989D3 second address: 1298A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3F5D28F328h 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F3F5D28F325h 0x00000015 jmp 00007F3F5D28F325h 0x0000001a jmp 00007F3F5D28F321h 0x0000001f popad 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B5D4 second address: 129B5DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B5DA second address: 129B67B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F3F5D28F31Ch 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jno 00007F3F5D28F31Ch 0x00000013 push ebx 0x00000014 jl 00007F3F5D28F316h 0x0000001a pop ebx 0x0000001b popad 0x0000001c nop 0x0000001d jmp 00007F3F5D28F31Fh 0x00000022 push 00000004h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007F3F5D28F318h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000015h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e call 00007F3F5D28F319h 0x00000043 pushad 0x00000044 jnl 00007F3F5D28F32Eh 0x0000004a ja 00007F3F5D28F31Ch 0x00000050 popad 0x00000051 push eax 0x00000052 jl 00007F3F5D28F328h 0x00000058 pushad 0x00000059 jmp 00007F3F5D28F31Ah 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B67B second address: 129B6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007F3F5CD29FE8h 0x00000010 pop esi 0x00000011 pop edx 0x00000012 mov eax, dword ptr [eax] 0x00000014 push ecx 0x00000015 pushad 0x00000016 jmp 00007F3F5CD29FE8h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B6C9 second address: 129B6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0D12 second address: 4CE0D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5CD29FE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0D2A second address: 4CE0D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0D2E second address: 4CE0D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3F5CD29FDDh 0x00000011 adc cx, 1EB6h 0x00000016 jmp 00007F3F5CD29FE1h 0x0000001b popfd 0x0000001c mov cx, FCA7h 0x00000020 popad 0x00000021 jns 00007F3F5CD2A048h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3F5CD29FE9h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0D84 second address: 4CE0D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0D8A second address: 4CE0D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0D8E second address: 4CE0D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0D92 second address: 4CE0DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, esi 0x0000000f call 00007F3F5CD29FDCh 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0DAF second address: 4CE0DED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3F5D28F31Dh 0x00000009 sub esi, 0BB5E2D6h 0x0000000f jmp 00007F3F5D28F321h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [eax+00000860h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov si, bx 0x00000024 mov edi, 4E531B6Ah 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0DED second address: 4CE0E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F5CD29FE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0E08 second address: 4CE0E18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0E18 second address: 4CE0E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0E1C second address: 4CE0E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0E22 second address: 4CE0E54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5CD29FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3FCDC3FEF6h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3F5CD29FDDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CE0E54 second address: 4CE0E7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F5D28F321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [eax+04h], 00000005h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3F5D28F31Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AD911 second address: 11AD91B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3F5CD29FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ADAB8 second address: 11ADABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ADC8D second address: 11ADC93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ADC93 second address: 11ADC97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FF3D22 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11CD567 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 12319F5 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2004

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1715790734.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD5BB0 LdrInitializeThunk,

0_2_00FD5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
sergei-esenin.com	172.67.206.204	true	true	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mobbipenju.store:443/api2	file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	file.exe, 00000000.00000002.1715790734.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=9yzMGndrVfY4&l=e	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://studennotediw.store:443/api:A	file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://licendfilteo.site:443/api	file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/76561199724331900	file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiJ4~	file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spirittunek.store:443/api	file.exe, 00000000.00000002.1715790734.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/Z4~	file.exe, 00000000.00000002.1715790734.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000002.1715990710.0000000000B26000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/badges	file.exe, 00000000.00000002.1715790734.0000000000A86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1699240116.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
172.67.206.204	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528271
Start date and time:	2024-10-07 18:03:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
12:04:19	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
172.67.206.204	CatalogApp.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	p7SnjaA8NN.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	MSCy5UvBYg.exe	Get hash	malicious	LummaC, Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	E7Bu6a7eve.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	CatalogApp.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	172.67.206.204
	c3KH2gLNrM.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	p7SnjaA8NN.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
steamcommunity.com	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	down.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	104.102.49.254
	c3KH2gLNrM.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzEwODA2LCJuYmYiOjE3MjgzMTA4MDYsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiJwODJtNGNzMzB4cXl2Zmh0NzQxaSIsInRva2VuIjoicDgybTRjczMweHF5dmZodDc0MWkiLCJzZW5kX2F0IjoxNzI4MzA5NzMyLCJlbWFpbF9pZCI6OTk2NDE4NiwiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTQwMTYsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj0lRjAlOUYlOTElOEMrV2UrTWFkZStJdCtFYXN5K0ZvcitZb3UrJUYwJTlGJTkxJThDIn0.MNRoosOspCCWwx3VuYY41W-crcEzfjjfIELlO_QMAdM	Get hash	malicious	HtmlDropper	Browse	172.67.212.190
	https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcr	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Contract_Agreement_Monday October 2024.pdf	Get hash	malicious	Unknown	Browse	104.21.90.101
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	DocuSign-Docx.pdf	Get hash	malicious	Unknown	Browse	172.67.139.158
	RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ABH projesi_SLG6%0190%_fiyat teklif - PO240017 xlsx.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	188.114.97.3
AKAMAI-ASUS	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DocuSign-Docx.pdf	Get hash	malicious	Unknown	Browse	88.221.168.23
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	down.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://issuu.com/smart_media/docs/die_welt_wirtschaft/19	Get hash	malicious	Unknown	Browse	23.212.88.20
	Hscni Remittance_8115919700_16831215.html	Get hash	malicious	Tycoon2FA	Browse	173.223.116.167
	original.eml	Get hash	malicious	Tycoon2FA	Browse	92.122.18.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	uhwovHh7pS.msi	Get hash	malicious	VMdetect	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.206.204

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9482042760407285
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'904'128 bytes
MD5:	d9db4d0437a7307c4fd0f8b3f7bab2c6
SHA1:	df7705a0c061e1820e394a0b4c4ac13a7d9fd518
SHA256:	6c2d273d3f9a9f5589a2ebd49d862833abeecf0b76f5f6c770ae2cf14dc7a81a
SHA512:	4e35819ad4f7814b6ea23db228338d30b94d9479d560a227a4775e40e659eee0818f5e995a4afa6d0183dc007d1b355339454f16bda34a24e3ad9a63cbeec2bf
SSDEEP:	49152:AXJG3lPxe/aiFgeI7uftMgBwSEn8AWKQ6e8AvU2Po1IkKibaa:Y6Xe/DA7uftMYEsKQ6D2PoOp
TLSH:	789533A8DE35EF23EE5CD77148729326AF1E9041852701100E69D977983A3CCAB77B17
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f.............................0L...........@..........................`L.....rW....@.................................W...k..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8c3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F3F5CD53E1Ah
paddsb mm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F3F5CD55E15h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	4e969796fcc2976c88c31009754c52bd	False	0.9994714315181518	data	7.979411071304206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2ba000	0x200	25091acdd682b11de0f30a85b4708aab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
aykcypxm	0x31a000	0x1a8000	0x1a7600	7b8357451ee2b6958ec76e501e46b581	False	0.9934555607838795	data	7.953761297245085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ubrowdje	0x4c2000	0x1000	0x400	e6941a970d8c4e5c1df4276b07e6477a	False	0.7451171875	data	5.873949185450139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4c3000	0x3000	0x2200	527e7ae6a3c4a70f80143b67248bbd4f	False	0.05962775735294118	DOS executable (COM)	0.686071549583682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T18:04:20.603340+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.4	54891	1.1.1.1	53	UDP
2024-10-07T18:04:20.624398+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.4	50633	1.1.1.1	53	UDP
2024-10-07T18:04:20.648005+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.4	57363	1.1.1.1	53	UDP
2024-10-07T18:04:20.658950+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.4	56247	1.1.1.1	53	UDP
2024-10-07T18:04:20.669955+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.4	57151	1.1.1.1	53	UDP
2024-10-07T18:04:20.688959+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.4	49954	1.1.1.1	53	UDP
2024-10-07T18:04:20.701520+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.4	57848	1.1.1.1	53	UDP
2024-10-07T18:04:20.712780+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.4	50028	1.1.1.1	53	UDP
2024-10-07T18:04:23.031218+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	172.67.206.204	443	TCP
2024-10-07T18:04:23.031218+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.206.204	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 18:04:20.737533092 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:20.737627983 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:20.737749100 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:20.740751028 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:20.740794897 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.391470909 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.391593933 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:21.393820047 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:21.393857956 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.394175053 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.440274954 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:21.483414888 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.919934988 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.919960022 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.920006990 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.920025110 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.920047045 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.920262098 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:21.920275927 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:21.920422077 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.015780926 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.015805960 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.015980959 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.015989065 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.016068935 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.020842075 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.020991087 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.021038055 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.021112919 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.021114111 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.021197081 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.023282051 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.023296118 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.023319960 CEST	49730	443	192.168.2.4	104.102.49.254
Oct 7, 2024 18:04:22.023324966 CEST	443	49730	104.102.49.254	192.168.2.4
Oct 7, 2024 18:04:22.042810917 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:22.042856932 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:22.043061972 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:22.043224096 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:22.043235064 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:22.556484938 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:22.556725025 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:22.559370995 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:22.559393883 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:22.559627056 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:22.560662985 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:22.560688019 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:22.560722113 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:23.031279087 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:23.031512022 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:23.031590939 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:23.036617041 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:23.036654949 CEST	443	49731	172.67.206.204	192.168.2.4
Oct 7, 2024 18:04:23.036675930 CEST	49731	443	192.168.2.4	172.67.206.204
Oct 7, 2024 18:04:23.036683083 CEST	443	49731	172.67.206.204	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 18:04:20.603339911 CEST	54891	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.614679098 CEST	53	54891	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.624397993 CEST	50633	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.633495092 CEST	53	50633	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.648005009 CEST	57363	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.657727957 CEST	53	57363	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.658950090 CEST	56247	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.668683052 CEST	53	56247	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.669955015 CEST	57151	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.685520887 CEST	53	57151	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.688958883 CEST	49954	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.698962927 CEST	53	49954	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.701519966 CEST	57848	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.710536003 CEST	53	57848	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.712779999 CEST	50028	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.722475052 CEST	53	50028	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:20.725655079 CEST	55418	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:20.733180046 CEST	53	55418	1.1.1.1	192.168.2.4
Oct 7, 2024 18:04:22.026854992 CEST	51969	53	192.168.2.4	1.1.1.1
Oct 7, 2024 18:04:22.042129040 CEST	53	51969	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 18:04:20.603339911 CEST	192.168.2.4	1.1.1.1	0x809	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.624397993 CEST	192.168.2.4	1.1.1.1	0xbadc	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.648005009 CEST	192.168.2.4	1.1.1.1	0xff75	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.658950090 CEST	192.168.2.4	1.1.1.1	0x97c6	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.669955015 CEST	192.168.2.4	1.1.1.1	0xbd3e	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.688958883 CEST	192.168.2.4	1.1.1.1	0x3ff3	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.701519966 CEST	192.168.2.4	1.1.1.1	0x6c76	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.712779999 CEST	192.168.2.4	1.1.1.1	0x47dd	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.725655079 CEST	192.168.2.4	1.1.1.1	0x134d	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:22.026854992 CEST	192.168.2.4	1.1.1.1	0xc61f	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 18:04:20.614679098 CEST	1.1.1.1	192.168.2.4	0x809	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.633495092 CEST	1.1.1.1	192.168.2.4	0xbadc	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.657727957 CEST	1.1.1.1	192.168.2.4	0xff75	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.668683052 CEST	1.1.1.1	192.168.2.4	0x97c6	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.685520887 CEST	1.1.1.1	192.168.2.4	0xbd3e	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.698962927 CEST	1.1.1.1	192.168.2.4	0x3ff3	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.710536003 CEST	1.1.1.1	192.168.2.4	0x6c76	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.722475052 CEST	1.1.1.1	192.168.2.4	0x47dd	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:20.733180046 CEST	1.1.1.1	192.168.2.4	0x134d	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:22.042129040 CEST	1.1.1.1	192.168.2.4	0xc61f	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 7, 2024 18:04:22.042129040 CEST	1.1.1.1	192.168.2.4	0xc61f	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.102.49.254	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 16:04:21 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-07 16:04:21 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 07 Oct 2024 16:04:21 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=d48a02bae075cbed776d5bd7; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-07 16:04:21 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-07 16:04:22 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-07 16:04:22 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-07 16:04:22 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.206.204	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 16:04:22 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-07 16:04:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-07 16:04:23 UTC	774	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 16:04:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m6nr3dtbh1hkgdpahl053tl7t5; expires=Fri, 31 Jan 2025 09:51:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=67LwswnUeeu9kzc%2F7TZq1Db0Nr7wxsLU6pypgwBCHFnxcfCAfsoJUpPqmhpDEh7s7mZt3mxj85y%2FsmDmftmMYAi%2B5W8TzHkr7ONmWrFeuwjUVlp4oh2XZyXwaoFLzfr6ghHTPA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cef20697d1e7d18-EWR
2024-10-07 16:04:23 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-07 16:04:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:04:16
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf90000
File size:	1'904'128 bytes
MD5 hash:	D9DB4D0437A7307C4FD0F8B3F7BAB2C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	56.2%
Total number of Nodes:	48
Total number of Limit Nodes:	6

Executed Functions

Function 00FD50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00FD5182

Strings

@^, xrefs: 00FD5120
<I$), xrefs: 00FD52E3
<I$), xrefs: 00FD5198

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 240a8406859826392206ca9046262a9691ae9b0b622ac4d9a9bfc37c57835277
Instruction ID: f44ed28f6480e89b4e3cc80de985f37ba0896c76e2c4b8363fe42e085ab2ec68
Opcode Fuzzy Hash: 240a8406859826392206ca9046262a9691ae9b0b622ac4d9a9bfc37c57835277
Instruction Fuzzy Hash: 4821AE355083888FC300DF68D8C4B2AB7F5AB6A300F69482CE1C5D7362D736D915CB56

Function 00F9FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 00F9FEDC
t, xrefs: 00F9FCBE
VY^_, xrefs: 00F9FDFF
J|BJ, xrefs: 00FA000D

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 1566b3c3444fc1d403add0128daa970127485a7032675a21e80670b6a6ac87c0
Instruction ID: 7e987fcf615fdc4e7144621f1afc0dfb39fa58940362a7b839b2a70f6a9ff419
Opcode Fuzzy Hash: 1566b3c3444fc1d403add0128daa970127485a7032675a21e80670b6a6ac87c0
Instruction Fuzzy Hash: F1D17BB590C3809BD711DF18E49065FBBE1AF96748F28882CF4C98B252C735DD49EB92

Function 00F9D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00F9D2F1

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 8a9a95e10fe78447c009cb4cc566c75260ccdd6ca6fc7cc392ece9e96847c369
Instruction ID: 28d848bcd924f1d95d25ce116fb4741028bd60666f004c2609c9f5b513f6077c
Opcode Fuzzy Hash: 8a9a95e10fe78447c009cb4cc566c75260ccdd6ca6fc7cc392ece9e96847c369
Instruction Fuzzy Hash: 11413A7090D340ABEB01BF68D684A2EFBF5AF52745F248C1CE5C497252C339D814AB67

Function 00FD5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00FD973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00FD5BDE

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00FD695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00FD69C5

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6b2ad79adc8eb59d8026bcc79404fbce8ee62019c763a75db90b58e47a1da653
Instruction ID: de1e8d0eb9e4db35088b8cd74779753dd870d7b2695d856bd383cbadf9a225a9
Opcode Fuzzy Hash: 6b2ad79adc8eb59d8026bcc79404fbce8ee62019c763a75db90b58e47a1da653
Instruction Fuzzy Hash: 1D3176B19183059FD718EF14C8A072AB7F2EF85344F48981EE5C6DB3A1E3399904EB56

Function 00FA049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdcb4f12ea2cbe178cc38d88ba0d91d8508346ddd5f043cfc3403885e7d520c
Instruction ID: 809b4cfbcab147a0ec58ed27da1994aa701b988c9888ea9a1f9da022c956a38f
Opcode Fuzzy Hash: bbdcb4f12ea2cbe178cc38d88ba0d91d8508346ddd5f043cfc3403885e7d520c
Instruction Fuzzy Hash: 63916A75200B04CFD724CF25E894A16B7F6FF89310B158A6DE8568BAA1DB30F819EB50

Function 00FA0228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68e4c331f236312824b21dba385947668232bf1462fc4eb1a5a46fa971288bf
Instruction ID: d779407e529b1b2f2c23506176eb708dc1b6e07b48fc62da0d09d50d63c95bbb
Opcode Fuzzy Hash: c68e4c331f236312824b21dba385947668232bf1462fc4eb1a5a46fa971288bf
Instruction Fuzzy Hash: 1E717A75201704DFD7248F20EC98F16B7F6FF4A310F14896DE8468BAA2CB31A819EB50

Function 00FD99D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd772b8c0e1cfa196dd74855749662447e655af33ccc2e5f207da8c653e3456b
Instruction ID: 8de08028b7c76a6179eea3d15b758b9bca8f296ad53e203a2490d2c3a15a5f3d
Opcode Fuzzy Hash: bd772b8c0e1cfa196dd74855749662447e655af33ccc2e5f207da8c653e3456b
Instruction Fuzzy Hash: AA41EF3560C344ABD7109B55D890B2BB7A6EBC5B24F19882EE5C98B341C3B4E810EB62

Function 00FD63B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e7287b39f1a5c70dc161aeed60263c21fe9985bbe6420cc642e84bdd7bd29b6
Instruction ID: b6a15911e06d0c5d4dbd05df2ee86a8af748234f2984842172932528df141e0a
Opcode Fuzzy Hash: 8e7287b39f1a5c70dc161aeed60263c21fe9985bbe6420cc642e84bdd7bd29b6
Instruction Fuzzy Hash: 7831D274649341BADA24DB04CD82F3AB7A7FB81B25F68850DF1C19B3E1D370A811AB52

Function 00FD3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00FD32A6

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 011cb13e927888b8a610e87104156431b73d8827294f41639aaa3e2de3659e0c
Instruction ID: 50fbf6189a17131f662a097524a870e335feb38eceb9741f661727ff0dad805f
Opcode Fuzzy Hash: 011cb13e927888b8a610e87104156431b73d8827294f41639aaa3e2de3659e0c
Instruction Fuzzy Hash: F5016D3490D2909FC701EF18E889A1ABBE9EF4AB01F09491CE5C58B361D335DD60EB92

Function 00FD3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00FD3208

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6275a3350d87bf96ae7119eb3842f599484611a714e3ca78877dee3402c7e9b1
Instruction ID: ccd4b7f698f3585d328caa9efc1aa651b210ec09747bd4305332e6470e29a1ae
Opcode Fuzzy Hash: 6275a3350d87bf96ae7119eb3842f599484611a714e3ca78877dee3402c7e9b1
Instruction Fuzzy Hash: 7DB012300400005FDA041B00EC0AF043510EB00605F800050A1000C0B1D1715864D554

Non-executed Functions

Function 00FADB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

D, xrefs: 00FAE846
%*+(, xrefs: 00FADE37, 00FADE46
dcba, xrefs: 00FAE728
tuJK, xrefs: 00FAE967
<=2, xrefs: 00FAEA01
|, xrefs: 00FAECB1
mjkh, xrefs: 00FAE7D8
89>?, xrefs: 00FAE9F6
<=:;, xrefs: 00FAE930
`Y^_, xrefs: 00FAE99E
@ONM, xrefs: 00FAE6DB
LKJI, xrefs: 00FAE6E6
T, xrefs: 00FAF157
lkji, xrefs: 00FAE73E
AR, xrefs: 00FADD10
DCBA, xrefs: 00FAE887, 00FAE896
tsrq, xrefs: 00FAE6FC
QNOL, xrefs: 00FAE775
`onm, xrefs: 00FAE733
89&', xrefs: 00FAE93B
xgfe, xrefs: 00FAE71D
WP, xrefs: 00FADCEF
()./, xrefs: 00FAE9CA
:WUE, xrefs: 00FAF6B7, 00FAF6C6

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: d1600d29f9af7820e4907cf7a339a6db62e542481fadf5482c9c07312ededeb3
Instruction ID: 0776eabe9594a739a803d3307c235b2fd69365eabfdfd0c01fc1ca2dacb0686b
Opcode Fuzzy Hash: d1600d29f9af7820e4907cf7a339a6db62e542481fadf5482c9c07312ededeb3
Instruction Fuzzy Hash: A7F289B19083819FD770CF14C894BABBBE6BFD6314F14482DE4C98B291D7359984EB92

Function 00FC23E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

3<, xrefs: 00FC32D6
fedc, xrefs: 00FC2782
%*+(, xrefs: 00FC40EF
:, xrefs: 00FC32DD
f@~!, xrefs: 00FC25FF
|}&C, xrefs: 00FC2F21
Cx, xrefs: 00FC453D
`tii, xrefs: 00FC2693
ggxz, xrefs: 00FC2685
aenQ, xrefs: 00FC276A
{l`~, xrefs: 00FC268C
mlc@, xrefs: 00FC275C

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 4906e2c05057bd24aeb081aa4b2171f7c91f999c063714efe71f447ab1b0b2fa
Instruction ID: d48055d3537e0433bbb32fa2518976af7a45919191f5e4707c05ba11d98e5546
Opcode Fuzzy Hash: 4906e2c05057bd24aeb081aa4b2171f7c91f999c063714efe71f447ab1b0b2fa
Instruction Fuzzy Hash: 6C33CD70504B828FD7658F38C691B62BBE1BF16304F58899DD4DA8BB82C735F806DB61

Function 00FB9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

JG, xrefs: 00FBAA27
N[, xrefs: 00FBA375
]{, xrefs: 00FBA1E7, 00FBA1F3
/), xrefs: 00FBA66D
S], xrefs: 00FBA636
_Y, xrefs: 00FBA641
=], xrefs: 00FBA36A
Gt, xrefs: 00FB9FF8
(a*c, xrefs: 00FBA147
?m,o, xrefs: 00FBA13C
hi, xrefs: 00FBAB9D
WQ, xrefs: 00FBA62B
CG, xrefs: 00FBAA32
%e6g, xrefs: 00FBA152
kW, xrefs: 00FBA380
sm, xrefs: 00FBA830
WH, xrefs: 00FBAA1C

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 8ef9545b5b641a6a8137f8b844847592b5df6fd6612e54f0c124665862adf83d
Instruction ID: 7ad6ba3069228538e54e620a2bc0c14d72c5947edce1b119fec54298978d250c
Opcode Fuzzy Hash: 8ef9545b5b641a6a8137f8b844847592b5df6fd6612e54f0c124665862adf83d
Instruction Fuzzy Hash: A252B7B444D385CAE270CF26D581B8EBAF1BB92740F608A1DE1ED9B255DBB08045DF93

Function 00FB9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

O+f), xrefs: 00FB9634, 00FB963D
pq, xrefs: 00FB99E0
z=Q?, xrefs: 00FB9826
!E4G, xrefs: 00FB9836
T#a-, xrefs: 00FB9AE3
;IJK, xrefs: 00FB983E
8;, xrefs: 00FB9B13
L3Y=, xrefs: 00FB9B03
2A"_, xrefs: 00FB9980
X/R), xrefs: 00FB9AEB
,A&C, xrefs: 00FB982E
B7U1, xrefs: 00FB9AFB
G+X5, xrefs: 00FB9AF3
G'M!, xrefs: 00FB9ADB
?M0K, xrefs: 00FB9968
B?Q9, xrefs: 00FB9B0B

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 638369f979f7671b41187552c6dc4105a7279b10a87e41a298fabc67aa7bf4a0
Instruction ID: 14a7b7dc6cf41c3c57abc625f148bf799b4189225538e00b24ddb7df33f029ad
Opcode Fuzzy Hash: 638369f979f7671b41187552c6dc4105a7279b10a87e41a298fabc67aa7bf4a0
Instruction Fuzzy Hash: FDF14DB0508384ABD310DF16D880A6BBBF4FB86B48F544D1CF5D59B252D3B8D908EB96

Function 00FBDD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

Y9N;, xrefs: 00FBE245
)IgK, xrefs: 00FBE261
<Y.[, xrefs: 00FBE27D
-M2O, xrefs: 00FBE25A
,Q?S, xrefs: 00FBE26F
%*+(, xrefs: 00FBE143
=]+_, xrefs: 00FBE276
hX]N, xrefs: 00FBDDC7
{E, xrefs: 00FBE323
upH}, xrefs: 00FBDE8A, 00FBE798, 00FBDF4A
n\+H, xrefs: 00FBDDC0

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: 68099d7ce3dd2afcef241499f14c51aa58a699fda69e027b2e5e46f2da9e8d32
Instruction ID: 080fcc865ed545cac281f0fbf1c00a2cf0daecc3e7e85f2fb4af00bcc67c7da5
Opcode Fuzzy Hash: 68099d7ce3dd2afcef241499f14c51aa58a699fda69e027b2e5e46f2da9e8d32
Instruction Fuzzy Hash: 2D92F271E00249CFDB04CF69D8916AEBBB2FF89310F298169E416AB391D735AD41DF90

Function 01163A04 Relevance: 14.1, Strings: 10, Instructions: 1608COMMON

Download Yara Rule

Strings

}S, xrefs: 01163D37
zu{k, xrefs: 011647CE
b8, xrefs: 01163BEF, 01163C46, 01163C50, 01163C5D, 01163C8E
Fv{2, xrefs: 01163D96
)tA%, xrefs: 01163C66
/']3, xrefs: 01164365
Ao7=, xrefs: 01163EB8
&5Xf, xrefs: 01163F4F
(faf, xrefs: 01164231
&Mv+, xrefs: 011640B3

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: b8$&5Xf$&Mv+$(faf$)tA%$/']3$Ao7=$Fv{2$zu{k$}S
API String ID: 0-3599013769
Opcode ID: 12895d60b97196f4dfd0ff93ddce6f90db91145ce0b31a6da3a13c57cfdb6f62
Instruction ID: 22d79af567a6659369fdaddf1831139e6337d5172252cd23ee0e301466b1386b
Opcode Fuzzy Hash: 12895d60b97196f4dfd0ff93ddce6f90db91145ce0b31a6da3a13c57cfdb6f62
Instruction Fuzzy Hash: 83B22BF3A082009FE704AE2DEC4567ABBE9EFD4720F1A853DE6C4C7744E63598058697

Function 00FB098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

{, xrefs: 00FB1502
qrqp, xrefs: 00FB1089
cah`, xrefs: 00FB107E
gce/, xrefs: 00FB1073
%*+(, xrefs: 00FB0A77, 00FB0A86
,#15, xrefs: 00FB0F94
&> &, xrefs: 00FB0F89
9.5^, xrefs: 00FB0F9F

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 934dd3041f29ed7488229a9b2c94474a9eef3d01c04d28460e13e30739045d3d
Instruction ID: fd6bf5e501af368c60120fff9c1de768f27730fa6ead0f9db1c2c5a665fd8a1d
Opcode Fuzzy Hash: 934dd3041f29ed7488229a9b2c94474a9eef3d01c04d28460e13e30739045d3d
Instruction Fuzzy Hash: EE62B9B5A083818BD730CF15D891BABBBE1FF96314F08492DE49A8B681E7759840DF53

Function 00F91000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 00F92226
0123456789abcdefxp, xrefs: 00F91587, 00F915F8
gfff, xrefs: 00F922E1
0123456789ABCDEFXP, xrefs: 00F9157D, 00F915EB
-, xrefs: 00F921ED
gfff, xrefs: 00F92297
@, xrefs: 00F92C40

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: c28c7fa06e107b0bbedb3553ba12ad8dbca631a5bfd3b24e14dad9a49c0ae27b
Instruction ID: 49bc5f174f051394d7a923296bba4006bf0c5da8407cb08592773835d105ee67
Opcode Fuzzy Hash: c28c7fa06e107b0bbedb3553ba12ad8dbca631a5bfd3b24e14dad9a49c0ae27b
Instruction Fuzzy Hash: A2D20871A083429FEB18CF28C89436ABBE2AFD5314F18862DE495C7391D734DD45EB82

Function 01171151 Relevance: 7.9, Strings: 5, Instructions: 1642COMMON

Download Yara Rule

Strings

F?g, xrefs: 01171C0C
nTmo, xrefs: 01171DD4
Br{, xrefs: 0117239E
Me}_, xrefs: 01171518
RTYF, xrefs: 011714C7

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: Br{$F?g$Me}_$RTYF$nTmo
API String ID: 0-1254665298
Opcode ID: 508365b0c93169b19a496fa935a7d26e21c4cee4504a8d6ace1397f2306de7b3
Instruction ID: f6938d41e328b1ddb463698d068dd3fd2e8539c48c212bbb4af7162fb6dc048c
Opcode Fuzzy Hash: 508365b0c93169b19a496fa935a7d26e21c4cee4504a8d6ace1397f2306de7b3
Instruction Fuzzy Hash: 51B24BF3A0C2049FE304AE2DEC8567BBBE9EB94760F16493DEAC4D3744E63558058792

Function 0116540D Relevance: 7.9, Strings: 5, Instructions: 1632COMMON

Download Yara Rule

Strings

<MQ, xrefs: 01165BED
%w>, xrefs: 01165A3B
@^~, xrefs: 01165430
lOo, xrefs: 01166573
:=5n, xrefs: 011664E5

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: lOo$:=5n$<MQ$@^~$%w>
API String ID: 0-2024015339
Opcode ID: 30dbb424017fcfa9b46bb06c29db9ab057a17dd69a025a3bd9cefb9ccb28bf9d
Instruction ID: 214416517f3b1679db8e75fbfffde46795858faea519d68468055c78f14238a1
Opcode Fuzzy Hash: 30dbb424017fcfa9b46bb06c29db9ab057a17dd69a025a3bd9cefb9ccb28bf9d
Instruction Fuzzy Hash: 01B208F360C204AFE3046E2DEC4567ABBE9EF94720F16493DEAC5C7740EA7598018697

Function 01166F0E Relevance: 7.8, Strings: 5, Instructions: 1583COMMON

Download Yara Rule

Strings

-I7, xrefs: 011678A8
;Eo3, xrefs: 01167BB8
6?, xrefs: 0116721E
TY}, xrefs: 01168026
||], xrefs: 0116752A

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: 6?$-I7$;Eo3$TY}$||]
API String ID: 0-2638675106
Opcode ID: dc033d174b134c6a8d535938d38ab936010778f918eb4f0f75a14d86a957f125
Instruction ID: baec89d20342df958f6deca8a1b4508129381005542901c1b1f88441b131b24a
Opcode Fuzzy Hash: dc033d174b134c6a8d535938d38ab936010778f918eb4f0f75a14d86a957f125
Instruction Fuzzy Hash: 14B2F6F360C2049FE314AE2DEC8567AFBE9EB94720F164A3DE6C4C3744E63598058697

Function 0116FDB2 Relevance: 7.2, Strings: 5, Instructions: 964COMMON

Download Yara Rule

Strings

:qo, xrefs: 011702DA
rEWv, xrefs: 0116FDC7
~Dy}, xrefs: 0117000F
Vx~X, xrefs: 011705D3
f}g{, xrefs: 01170144

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: :qo$Vx~X$f}g{$rEWv$~Dy}
API String ID: 0-3874744719
Opcode ID: b4a40899cebdb965483a2cf75dcbe020214c90462a287a2536070b572eef2106
Instruction ID: 9f70c69cd8212871a45db2b1529bc434902614a828154a7952c520119fe2d32f
Opcode Fuzzy Hash: b4a40899cebdb965483a2cf75dcbe020214c90462a287a2536070b572eef2106
Instruction Fuzzy Hash: D8524BF361C204AFE3046E3DEC9567ABBE9EB94320F16493DE6C4C3744E93598418697

Function 00F912F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 00F91E88
0, xrefs: 00F9243E
0, xrefs: 00F91DC1
i, xrefs: 00F928EA
@, xrefs: 00F93531

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 333201d70fd40faac94a6c087c1f2e39a8e0e2501d0a7e902b932b556a6540a6
Instruction ID: 73f1ba8f7ef7ad210a5ddd01d35750dcc235a3a534b53c719e682fd8229b6101
Opcode Fuzzy Hash: 333201d70fd40faac94a6c087c1f2e39a8e0e2501d0a7e902b932b556a6540a6
Instruction Fuzzy Hash: EF62F731A0C3829FEB19CF28C49076ABBE1BFD5314F18892DE4D987291D774D949EB42

Function 00F9164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00F91659
+, xrefs: 00F91573
gfff, xrefs: 00F91F3C
0123456789ABCDEFXP, xrefs: 00F9164F
gfff, xrefs: 00F91F57

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 4d860cc972cb77f843fce01ae9e03504ef41e295031ba54d9b52ac0b6ca1dc99
Instruction ID: 6968613f40ac0dc29e9e9c7c8747864b0fd939637ad26b189aaa6e9cf77ce1df
Opcode Fuzzy Hash: 4d860cc972cb77f843fce01ae9e03504ef41e295031ba54d9b52ac0b6ca1dc99
Instruction Fuzzy Hash: 2AF1D331A0C3829FDB15CE28C48436AFBE2AFD9314F188A6DE4D987352D334D944DB92

Function 01168995 Relevance: 6.7, Strings: 4, Instructions: 1690COMMON

Download Yara Rule

Strings

j?, xrefs: 01169367
?~9, xrefs: 01168EB5
B;?, xrefs: 01169AFA
0*w, xrefs: 011690FB

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: j?$0*w$?~9$B;?
API String ID: 0-2517843834
Opcode ID: 37703b9b0ed560bff05dfa27997ae91c83f29e1a6dd2cf659d7a208205a9f102
Instruction ID: 374c1354c59eb9ccd4eb77ca337f13999d6d290115c3ebc0beb9d7465d7ba749
Opcode Fuzzy Hash: 37703b9b0ed560bff05dfa27997ae91c83f29e1a6dd2cf659d7a208205a9f102
Instruction Fuzzy Hash: B9B218F3A08204AFE3086E2DEC8577ABBE9EFD4720F1A453DE6C5C7744E93558018696

Function 00F913A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00F913AD
-, xrefs: 00F91F23
gfff, xrefs: 00F91F3C
0123456789ABCDEFXP, xrefs: 00F913A3
gfff, xrefs: 00F91F57

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 73a97e6cad9ba5bccd545fbcd5e086f09ceadaa71c0cf47d744c443374b2275b
Instruction ID: 8be43a0f29e08254a70b86b64e0572231309d328c594b3da3c98d2514d38b298
Opcode Fuzzy Hash: 73a97e6cad9ba5bccd545fbcd5e086f09ceadaa71c0cf47d744c443374b2275b
Instruction Fuzzy Hash: 8BD1BF3160C7828FDB19CE29C48426AFBE2AFD9314F08CA6DE4D987356D334D949DB52

Function 00FBFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

m1s3, xrefs: 00FBFEC3, 00FBFECB
:, xrefs: 00FC0087
NA_I, xrefs: 00FC036D
uvw, xrefs: 00FBFE95

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 47b51e04ccbef4d469ba64d025ac072b45bfe0a245fb459d2d51cefaa9112e26
Instruction ID: e788ebea9d2e300b3f2e3d2d30d2394e861e56c9baab4f3cd50e58fa40ce39ac
Opcode Fuzzy Hash: 47b51e04ccbef4d469ba64d025ac072b45bfe0a245fb459d2d51cefaa9112e26
Instruction Fuzzy Hash: 4332BBB1908381DFD300DF29D881B2ABBE1BB89714F184A2CF5D58B252D739D946EF52

Function 00FA3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

p, xrefs: 00FA3C80
%*+(, xrefs: 00FA3EC4
ss, xrefs: 00FA3C79
;z, xrefs: 00FA3C87

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 3e87050e13d1b195db9491434a1386cb9f3c279a5e90e69e40c8a73b12a4bd1c
Instruction ID: abfc9c94be9989686260b1aa32b30f00c81b66021bc1db998669d574fa3b5e93
Opcode Fuzzy Hash: 3e87050e13d1b195db9491434a1386cb9f3c279a5e90e69e40c8a73b12a4bd1c
Instruction Fuzzy Hash: 6C025CB4810B00EFD760DF24D986756BFF5FB02700F50895DE89A8B696E334A419DBA2

Function 0116DA52 Relevance: 5.4, Strings: 3, Instructions: 1668COMMON

Download Yara Rule

Strings

bYx, xrefs: 0116E8FC
fno{, xrefs: 0116E42A
O{, xrefs: 0116E880

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: bYx$fno{$O{
API String ID: 0-1928505176
Opcode ID: 098deffde50a4cc963caea31ee05d21f56881cbf6fcc5008cb15f145187442e8
Instruction ID: 020f7feb8a478427efb156da5f1eea912c60673a314218f512fd7466290a7f73
Opcode Fuzzy Hash: 098deffde50a4cc963caea31ee05d21f56881cbf6fcc5008cb15f145187442e8
Instruction Fuzzy Hash: 9DB249F3A0C2049FE3046E2DEC8567ABBE9EF94720F1A453DEAC5C3744EA3558058697

Function 00FB2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

lc, xrefs: 00FB2507
sj, xrefs: 00FB2327
a|, xrefs: 00FB2317
hu, xrefs: 00FB232F

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 36f7722a46cbff3c7a57e640d23e38cb14e6705a4150ed4facb992d764b28185
Instruction ID: d495a5113eecba55e929da8f1a600308410f1c6e51a05d38f29e470f536d67e6
Opcode Fuzzy Hash: 36f7722a46cbff3c7a57e640d23e38cb14e6705a4150ed4facb992d764b28185
Instruction Fuzzy Hash: E2A19C74808341CBC720DF19C891A6BB7F0FF96364F588A0CE8D59B291E339D941DBA6

Function 00FBD7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

CV, xrefs: 00FBD98B
KV, xrefs: 00FBD97D
#', xrefs: 00FBD9EA
T>, xrefs: 00FBD984

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: abe99eb129f0b520a34a7a4e1c06112a2bcc7ae2a12b1d9b48fd3073991129b5
Instruction ID: 5612169fc17153e9e2ab27fd2f87f5f8a513ef46e8b7c8f20b811a1889da7926
Opcode Fuzzy Hash: abe99eb129f0b520a34a7a4e1c06112a2bcc7ae2a12b1d9b48fd3073991129b5
Instruction Fuzzy Hash: 3F8176B48017469BDB20DF96D68659EBFB1FF12300F20460CE4866BA55D334AA55CFE3

Function 00FBAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 00FBAD07, 00FBAD13
lk, xrefs: 00FBACBC
4c2a, xrefs: 00FBACA9
(g6e, xrefs: 00FBACA1

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: a2f69747d279784b11f8b3b50a352c649e21865d9eaac008af2fac405c95301b
Instruction ID: cfe225b526c62c2af38afed73288d747619b60237d5686317a0b94d902c26864
Opcode Fuzzy Hash: a2f69747d279784b11f8b3b50a352c649e21865d9eaac008af2fac405c95301b
Instruction Fuzzy Hash: 1D4174B4808381CAD7209F21D940BABB7F0FF86305F54995DE6C89B260EB36D944DB96

Function 00FBC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FBC9E4, 00FBC9ED
~/i!, xrefs: 00FBC537
%*+(, xrefs: 00FBC8C3, 00FBC8CB

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 1837169e64b713c75fb8b7a255e6f273cfdb83df9d2c5617439dee6ff6eca9ca
Instruction ID: d4a0ae933ba93fe7431df03e474f5689a9c2affa3abd4130325dd155bcd9ac5c
Opcode Fuzzy Hash: 1837169e64b713c75fb8b7a255e6f273cfdb83df9d2c5617439dee6ff6eca9ca
Instruction Fuzzy Hash: ADE195B5908384DFE7209F26D881B5FBBE5FB85350F48882CE6888B251D735D814EF92

Function 01172C83 Relevance: 4.1, Strings: 2, Instructions: 1596COMMON

Download Yara Rule

Strings

bk_?, xrefs: 01172D37
@]i, xrefs: 01172CE9

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: bk_?$@]i
API String ID: 0-1370514587
Opcode ID: e8f70c3c62fbe31575741949ac712953b5fab9477063c564b1c641b2925a69b5
Instruction ID: 1c4d0415d494be631d6cb83d2a91f07ad3a7fcab3501503d89ce137f978ce66f
Opcode Fuzzy Hash: e8f70c3c62fbe31575741949ac712953b5fab9477063c564b1c641b2925a69b5
Instruction Fuzzy Hash: 91B2D6F350C2009FE7146E29EC8577ABBE5EF94320F1A493DEAC587744EA3558408697

Function 01160F8F Relevance: 3.3, Strings: 2, Instructions: 787COMMON

Download Yara Rule

Strings

0:~=, xrefs: 011610CD
0:~=, xrefs: 011610DE

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: 0:~=$0:~=
API String ID: 0-3703844230
Opcode ID: 010f2b39f4766b8b02783f3a7ea515d3ec621379f71c0eac13c93403cd1cf337
Instruction ID: c1d0945fb632de21e8a3735e95672ed55c7f8cd35927c92ecc25c1ae8c490777
Opcode Fuzzy Hash: 010f2b39f4766b8b02783f3a7ea515d3ec621379f71c0eac13c93403cd1cf337
Instruction Fuzzy Hash: BC3229F3A0C2109FE705AE6DEC8577AB7EAEF94320F1A453DE6C5C7744EA3158018686

Function 00FD4040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

f, xrefs: 00FD420C
%*+(, xrefs: 00FD40A4, 00FD40AD

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 5eee37bb60fd7a43c23bc3c0f3d24a8a25cc06e718848f666c402f3e15daee74
Instruction ID: b70e207700bf37a1ac5834a249e0b96a54a208332f796b21996a31cc71b5e781
Opcode Fuzzy Hash: 5eee37bb60fd7a43c23bc3c0f3d24a8a25cc06e718848f666c402f3e15daee74
Instruction Fuzzy Hash: DB129B719083419FC715CF18C880B2EBBE6BBC9314F188A2EF5958B391D735E945DB92

Function 00FCF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 00FCF7F5
hi, xrefs: 00FCF6E6

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: 59dc821540125713b567c50bdaad86155ac42685494db541dc52839d161616c6
Instruction ID: 3c57804031527a7e410ab391b23c61e61a06f6717ad4e326f97fb57378c1e973
Opcode Fuzzy Hash: 59dc821540125713b567c50bdaad86155ac42685494db541dc52839d161616c6
Instruction Fuzzy Hash: 70F19671618382EFE704CF24D891B2ABBF6FB85354F14892CF0858B2A1D739D845EB52

Function 00F935B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00F93607
NaN, xrefs: 00F9360E

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 7fe4c8099d280a3bb316938a495f03b562a4b45b9952be0c9d04f25a3a8c9f47
Instruction ID: cddc24ce3f000b9d2d40f6d3ce7c18287a7f623625c406f0707ff6c81bddf100
Opcode Fuzzy Hash: 7fe4c8099d280a3bb316938a495f03b562a4b45b9952be0c9d04f25a3a8c9f47
Instruction Fuzzy Hash: 62D1E772E083119BDB14CF29C88061EB7E2EFC8750F158A2DF999973A0E775DD059B82

Function 010E8F3E Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

p9m, xrefs: 010E9161
$QwW, xrefs: 010E90F9

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: $QwW$p9m
API String ID: 0-2124553190
Opcode ID: 24cc309d9b6bcd6fea87f9f70a155a72334abd00cd89605c4a8d2e0ec03a1124
Instruction ID: 7a530671ba7c5f7303ec7cdc425e592008b6ae7ddcb116891322d1dd69a93a63
Opcode Fuzzy Hash: 24cc309d9b6bcd6fea87f9f70a155a72334abd00cd89605c4a8d2e0ec03a1124
Instruction Fuzzy Hash: 2D7107F3A092006BE300A92EDD8576AF7DADFD8710F1B853DDBD4C3744E93559058292

Function 00FAFFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

BaBc, xrefs: 00FB0197
Ye[g, xrefs: 00FB00F6

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: bd9b57a2feb9ab5e797922c445d8ed4a2f2abb5094ba885c0a42351508280d53
Instruction ID: 12fb059c6518d5c5ba0a1db9bc1cc0358b18e5770cd053573a61fb099a7ddfcc
Opcode Fuzzy Hash: bd9b57a2feb9ab5e797922c445d8ed4a2f2abb5094ba885c0a42351508280d53
Instruction Fuzzy Hash: 6651CCB2A083818BD731DF19C881BABB7E0FF96360F08491DE4DA8B651E7749940DB57

Function 0112C60A Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

um_, xrefs: 0112C787
hX%, xrefs: 0112C715

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: hX%$um_
API String ID: 0-3712691305
Opcode ID: 0c10884c431df4242b3a00bcdefb9f83ab35f667c5021bc9c83c319bed16dac1
Instruction ID: c2d109fba82d52641a56a8b91ff02f712ce13d7127fa615e54d7912c36f24a80
Opcode Fuzzy Hash: 0c10884c431df4242b3a00bcdefb9f83ab35f667c5021bc9c83c319bed16dac1
Instruction Fuzzy Hash: 2A5126F3A4C3085FE7187E2CEC5573AB7E8EB44210F16063DEA85C3780E97659018686

Function 00F95160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00F954C8

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: ac26ffb92b67ba47f17bf3fc17d90e5d4bfd0773c95713504e90bfdd1387b312
Instruction ID: 01f2c8db83db0d2031453d935c09ea4f8a3e0c42aac4f0d1c786bcc42ddbd399
Opcode Fuzzy Hash: ac26ffb92b67ba47f17bf3fc17d90e5d4bfd0773c95713504e90bfdd1387b312
Instruction Fuzzy Hash: 2D2205B2E08B418BFF168E58D840726BBA3AFE0B24F1D856DD8594B341E771DD05E742

Function 00FC12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00FC15D1

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 5b64a3fdca7eb6b90b607b826b91df704855995ebf3085ba403b86ae8f2aa006
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: D1F12771A083424BC728CE24C952F2BBBE5BFC6364F18896DE89987383D634DD15E791

Function 00FBAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FBB2D3, 00FBB2DB

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 50a5cae14ff22dc89577df405fe2d67a496fb60476195de12081fe25fefaaa00
Instruction ID: 340446cd6d3245e62e86846dc5a15a9d6cd37da2789d3447e3a1dd940fde1e2d
Opcode Fuzzy Hash: 50a5cae14ff22dc89577df405fe2d67a496fb60476195de12081fe25fefaaa00
Instruction Fuzzy Hash: C4E1AD75508346CBC314EF2AC8905AEB7E2FF98791F54891CE5C587220E371E995EF82

Function 00FA6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FA6EF3

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 8fe0f05aa20294470dc4ebbefe2d8758dced8ab80e8c4a31e8e6b9285c3753f8
Instruction ID: cb21197b1a8a9e6e536e22b2ceae8232875f97ce13e4de0c39cbba36c25f2976
Opcode Fuzzy Hash: 8fe0f05aa20294470dc4ebbefe2d8758dced8ab80e8c4a31e8e6b9285c3753f8
Instruction Fuzzy Hash: E6F1AEB5A00A05CFD724DF24D891A26B3F2FF89314B188A2DE497C7691EB34F915EB44

Function 00FB7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FB8263, 00FB826B

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f57cd31307e4e50159033646baf2169e667789e154414a90e30797fccba3c6bd
Instruction ID: eeb07a55dbce90c45e212c07f49a8972a94296777437c99aaf6652d80d4ef120
Opcode Fuzzy Hash: f57cd31307e4e50159033646baf2169e667789e154414a90e30797fccba3c6bd
Instruction Fuzzy Hash: ADC1C171909300ABD710EB19CC81A6BB7F9EF957A4F084818F8C597251E734DD16EBA2

Function 00FB8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FB9233, 00FB923B

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 4c363b405cb43ad4dbdbc1102c514783273fe3d19d3e5bb7576cfbb9db496a3d
Instruction ID: 44f960c8aea80dbf8481f44be6234ffd41b22932770ba6d9bfb8e0241581ec39
Opcode Fuzzy Hash: 4c363b405cb43ad4dbdbc1102c514783273fe3d19d3e5bb7576cfbb9db496a3d
Instruction Fuzzy Hash: FAD10F70608346DFC714DF69DC80A6AB7E6FF89314F09886CE8828B251DB74E891EF51

Function 00FD7FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00FD8167

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 23a8c3b626cd1d53b063e0cb20cf2b6002572acb084986d0075cd3afdd96d80a
Instruction ID: 2ff5d24ebb6da4b5e70f92ad10dd300012e9a048ee6904068e631a5bddd77937
Opcode Fuzzy Hash: 23a8c3b626cd1d53b063e0cb20cf2b6002572acb084986d0075cd3afdd96d80a
Instruction Fuzzy Hash: 9CD1E4729082658FC725CE18D89071EB7E2EB85758F1D862DE8B5AB381CB71DC06E7C1

Function 00FBCCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FBCDC3, 00FBCDCB

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 7fbef8759df4df57c3915deaf57145b909b14e48d0179eb9ea588b01d4379142
Instruction ID: 1377648dae5e7c802b9ab585f45d127c68b242ff47e8510f829ca318691ba56b
Opcode Fuzzy Hash: 7fbef8759df4df57c3915deaf57145b909b14e48d0179eb9ea588b01d4379142
Instruction Fuzzy Hash: 84B10E71A083058BDB14EF16D890BABBBE2EF85350F14482DE5C58B351E335E855EFA2

Function 00FCFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FCFCA4, 00FCFCAD

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5f05915afbf26a07e61ed4e04874b338468e4fbb167b1a062f6c9531cba64b2c
Instruction ID: 573afb418a50ddeff4014aa2f31a68c078f10924622a8e037683ae1e32314c8a
Opcode Fuzzy Hash: 5f05915afbf26a07e61ed4e04874b338468e4fbb167b1a062f6c9531cba64b2c
Instruction Fuzzy Hash: 1C810DB0608346EBD710DF54DD82F2AB7E6FB89705F04882CF1858B251E734D818EBA2

Function 00FAD457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FAD663, 00FAD66B

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 567d49917a78993d990633791172dcb53ea01b89884c53c117ce7d7574b97537
Instruction ID: e77f11e7e6b310c6698e8bdac20143f2b5d7bbf4603a2153970cccd8fc7cf98d
Opcode Fuzzy Hash: 567d49917a78993d990633791172dcb53ea01b89884c53c117ce7d7574b97537
Instruction Fuzzy Hash: DE61E3B2908204DFD710EF58DC82A2AB3B1FF95354F48092DF9868B351E779E911E792

Function 010F2093 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

K#_, xrefs: 010F21C3

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: K#_
API String ID: 0-3097328139
Opcode ID: b94fc59d65410dd999632fcb4d39797cd3d1fc6cde9db26792d8d1f7dae7e70b
Instruction ID: 352160931ffd1f7034b8a94565c17d35fd1cd197387a7abedd1895a7289680d6
Opcode Fuzzy Hash: b94fc59d65410dd999632fcb4d39797cd3d1fc6cde9db26792d8d1f7dae7e70b
Instruction Fuzzy Hash: CA7102B3E186109BE3542A2DDC947AABBD5EBC4320F1B463DDAC4D77C0D939484087C6

Function 00FD4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FD4C33, 00FD4C3B

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 41f680f2c0117ccdf8af2a54ebb6cd0d0caa9e6f4d663c7e7387ad2a343048c8
Instruction ID: 9d28ad7c25baccb77579bc07696f234b4db3c5dc8339146354e0c49820426e5f
Opcode Fuzzy Hash: 41f680f2c0117ccdf8af2a54ebb6cd0d0caa9e6f4d663c7e7387ad2a343048c8
Instruction Fuzzy Hash: BD61CC75A083459BD7109F25D880B2AB7E7EBD4324F2C891EE5C58B391D731EC50EB52

Function 00F9E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00F9E333

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 566894a19a9d03750af8ddbdde96b86dcf07c6cf3ef54169ad068f60207fa671
Instruction ID: 358e037d859f77488b89004cf4cdaf0a7fcd545dc951ed8ee727f603f47862cb
Opcode Fuzzy Hash: 566894a19a9d03750af8ddbdde96b86dcf07c6cf3ef54169ad068f60207fa671
Instruction Fuzzy Hash: 5D513823E596914BEB28CA3C9C513A97F870BD3334B3DC76AE9F58B3E1D5164804A390

Function 010A5316 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

b7w, xrefs: 010A5379

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: b7w
API String ID: 0-2290821336
Opcode ID: bbf5cbf8856dfceeb8405c9bb766cde5901b3dfa732263ab1c5bf5bff927e565
Instruction ID: b373c4aee14e7573c8f20b50e185ec8853698da4ea79da3fcddc0998d156f029
Opcode Fuzzy Hash: bbf5cbf8856dfceeb8405c9bb766cde5901b3dfa732263ab1c5bf5bff927e565
Instruction Fuzzy Hash: 59417CF3B493156FE300696DEC957ABBBCADBD4670F2E063AE584C3345F87859018292

Function 00FD3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FD39E3, 00FD39EB

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 8ad6c02b27e399695b6c864fc609eaf965c0efb720c26aef2e985fd6f11e6315
Instruction ID: be35efeb95ae4569ee4847281048a75c8b5d7a335640f763e7ad494140d31946
Opcode Fuzzy Hash: 8ad6c02b27e399695b6c864fc609eaf965c0efb720c26aef2e985fd6f11e6315
Instruction Fuzzy Hash: 5A51BD78A092409BCB24DF14D890A2EB7E7EB85754F18891EE6C687351C375DD10EB63

Function 010C6EC6 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

r*Z, xrefs: 010C6EEC

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: r*Z
API String ID: 0-1289818606
Opcode ID: 7185af27ae083bfab84f65a79e360f1b3712d7f441c1f006b727e2876e09e3f1
Instruction ID: 7da96318a006f5289707db26c4657a566e92e816f746b714e82677c8f18487c4
Opcode Fuzzy Hash: 7185af27ae083bfab84f65a79e360f1b3712d7f441c1f006b727e2876e09e3f1
Instruction Fuzzy Hash: 0B418AB390C5008FE3096E3CEC166BA77D7DBC4320F2B863DD58193788EE3555058686

Function 00FA1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00FA1C3E

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 9dd8e3a58b3ad173d080193e8a6eb3e7e6f64c06c9c688cb18cdf718f658ae23
Instruction ID: c522232b942b58ad79e92524d2270c385edddf35a006a8c7cc0bb387e5468d68
Opcode Fuzzy Hash: 9dd8e3a58b3ad173d080193e8a6eb3e7e6f64c06c9c688cb18cdf718f658ae23
Instruction Fuzzy Hash: F64171B84083849BC7149F28D894A6FBBF0FF86324F04890CF5C69B291E736DA05DB56

Function 00FCFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FD0033, 00FD003B

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 4dd553550db0c40911df1130d83938aa8b044cc42a5bea327f304d247cb0d371
Instruction ID: fac7cfa7b1e3d4d14a4bf3ce959036a29246b83ba27eed7931e08d75468be74c
Opcode Fuzzy Hash: 4dd553550db0c40911df1130d83938aa8b044cc42a5bea327f304d247cb0d371
Instruction Fuzzy Hash: 6E3114B1908305BBD610EA14DC85F2BB7EAEB81758F58482AF88587352E635DC14E7A3

Function 00FBE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00FBE6A2

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 67be52c91c0b74889d79f36ec663f6df35598c58331205d6b3299903535c7f6b
Instruction ID: d8a3c5f7053b00b77d460ba5eb596b10edffdfde9f8f480639b91f29d53d5779
Opcode Fuzzy Hash: 67be52c91c0b74889d79f36ec663f6df35598c58331205d6b3299903535c7f6b
Instruction Fuzzy Hash: 7431C3B5E00249CFDB20CF96E9D05EFB7B5FB46304F640469E446AB202C735A905EFA1

Function 00FA6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00FA703B

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 9fa6ebe2d92c92a62c1c94bcbc7685c2d60fc450ea3ba548625b14399726e8ee
Instruction ID: 6900cbfc0877f8606c55d13476c159c8bdca309d51af700808da147f2c2afb7d
Opcode Fuzzy Hash: 9fa6ebe2d92c92a62c1c94bcbc7685c2d60fc450ea3ba548625b14399726e8ee
Instruction Fuzzy Hash: 4F4157B5605B08DBD7349B61CD90F26B7F2FB4A705F148818E5C69BAA1E331F810AB10

Function 00FBE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00FBE6A2

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: a3bd0ea409684ce39f72d9c4a89184ac1431b72f482c7296e1589635e21672f6
Instruction ID: b9174bc4a35fd49fe7d0b9c48d6351d35c895f444809165ef05680f0dc5f3be1
Opcode Fuzzy Hash: a3bd0ea409684ce39f72d9c4a89184ac1431b72f482c7296e1589635e21672f6
Instruction Fuzzy Hash: 5321B175A00249CFDB20CF96D9D05EFBBB5BB4A700F64081CE446AB202C335A901EFA1

Function 00FD9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00FD9D30

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 7403664cdf7bbc44d479bbad5e2cfe24f9392e27c430392790332f06cd177c16
Instruction ID: eb7951d5a5b578aa5fe8bdd2661b9344f2689f20ac1d99bad8984c90e559da14
Opcode Fuzzy Hash: 7403664cdf7bbc44d479bbad5e2cfe24f9392e27c430392790332f06cd177c16
Instruction Fuzzy Hash: B23167709083449BD310DF55D880A2AFBFAEF9A328F18892EE5C897351D375D904DBA6

Function 00FA4E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab4f3ce403911ef1484b515e5b82539bcfa68e3bdac69059c04f80588074e4d
Instruction ID: 67c703d0b1cd3d181e8a77dfc6d4bd22e839d8c11c01586e1eff3f09e9f1a924
Opcode Fuzzy Hash: 2ab4f3ce403911ef1484b515e5b82539bcfa68e3bdac69059c04f80588074e4d
Instruction Fuzzy Hash: 6E626BB4900B008FDB25CF24D990B27B7F6AF5A714F54892DD49B8BA52E774F808DB90

Function 00F9BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: e1679f8ae2eb1477c8f845b762f6069a718c68181a6f1849ceb8ae9fbd327d37
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: A052F832A087118BDB25DF18D8402BAB3E1FFD5329F694A2DD9C693290D734A851DBC6

Function 00FD8652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ecfd81822bc99aedddd24b1b81ca8391b0ed63c94170f9aaea71b5338cfc8e
Instruction ID: db76f11205d2fda9ea78e6d186352f0b401e1829a3445ec9cbdffad765ee629c
Opcode Fuzzy Hash: 09ecfd81822bc99aedddd24b1b81ca8391b0ed63c94170f9aaea71b5338cfc8e
Instruction Fuzzy Hash: FB22BD35A0C385CFC705DF68E89062AB7E2FF89315F09896EE5898B351D735E850EB42

Function 00FD86F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ad901353ee6b67cf087095f2a54161c31b88b10847daff026346f2afb9c5ed
Instruction ID: cbf1e95cd40cc067f3514ad22d68b91e1387af4c75aeb51008625b8674613146
Opcode Fuzzy Hash: 95ad901353ee6b67cf087095f2a54161c31b88b10847daff026346f2afb9c5ed
Instruction Fuzzy Hash: EC22AC3560C384DFC705DF68E89061ABBF2FB8A315F09896EE5898B351C735E850EB52

Function 00F9B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f6c7b1d62a28a5a8eff15626b01f7a183dba515aef1da31cf22563f1411216
Instruction ID: 7b30c338216ab3cecfd7029286c87ecb79c7cbe14e1dc6adae9fdaf828fcf7c9
Opcode Fuzzy Hash: 23f6c7b1d62a28a5a8eff15626b01f7a183dba515aef1da31cf22563f1411216
Instruction Fuzzy Hash: A252B370D08B848FFF35CB24D5843A7BBE2AF91324F144D2DC6D606A82C779A885E751

Function 00F971F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fbc5a8dc67606a3f8304b84c1255a4db8f029e09db71db250d8ad085432e82
Instruction ID: ddfef999e10b07fa219ddc385574918a20ebd30b9c3b4cf725f51c31cf759fb9
Opcode Fuzzy Hash: a8fbc5a8dc67606a3f8304b84c1255a4db8f029e09db71db250d8ad085432e82
Instruction Fuzzy Hash: 2C52F23191C3458FDB15DF29C0806AABBE1FF88314F198A6DE8995B351D734E849DF81

Function 00F98FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afa1b10791ae3de9d6a06a0d7fed68d26f445f32b6b579cf29ef21572c5aa63
Instruction ID: 801f0eeb8e6fbeb92c1db78cfdd3941a92989f2dbcb651d1bb570d69b4304b7e
Opcode Fuzzy Hash: 7afa1b10791ae3de9d6a06a0d7fed68d26f445f32b6b579cf29ef21572c5aa63
Instruction Fuzzy Hash: 4F429879609305DFEB08CF28D85076ABBE2BF89314F09886EE4858B391D375D945EF42

Function 00F97BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1155e35a0a8179f33b9798c4d15c90b18a812db36d54ba2cd793cad36b3f47
Instruction ID: 36cee2a8bced9746c10f3bffde6cf5519f2eefa778e3c5147c8d6a764353a88b
Opcode Fuzzy Hash: df1155e35a0a8179f33b9798c4d15c90b18a812db36d54ba2cd793cad36b3f47
Instruction Fuzzy Hash: 49323371928B108FDB38DF29C590626BBF1BF45710B604A2ED69787B90D736F885EB10

Function 00FD89A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cde628ce230470afa41f6594e7a649658d44393b63affd16ed59d04bd93c624
Instruction ID: 20f27a2759ef350c10f34689d70caa0ad0496e67f7dd83347f8ca387289e637d
Opcode Fuzzy Hash: 8cde628ce230470afa41f6594e7a649658d44393b63affd16ed59d04bd93c624
Instruction Fuzzy Hash: A8029C3560C285DFC705DF68E88061ABBE2EF8A315F09896EE5C58B351C335E850EB92

Function 00FD8A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16e7d47a4a456ab52af734249c991a9ab51eb8c93f43e6c8c427ee50b583f9e
Instruction ID: 74fc6df0cafa7dd352d734e757cefddc02666aa6eece7f2c31a1fa1513619882
Opcode Fuzzy Hash: e16e7d47a4a456ab52af734249c991a9ab51eb8c93f43e6c8c427ee50b583f9e
Instruction Fuzzy Hash: FDF18B3560C384DFC705EF68E88061EFBE2AB8A315F09896DE5D58B351D336E910EB52

Function 00FD8C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedb172ac03ca6228f4c30bb8c5a5d8ab58fa8ebb9caecc512f97f874c85eb53
Instruction ID: 2a3c0bc00c20c2238c7518bc4932a98ad65c17cd26648e1d71d2bdd37c5dc58b
Opcode Fuzzy Hash: fedb172ac03ca6228f4c30bb8c5a5d8ab58fa8ebb9caecc512f97f874c85eb53
Instruction Fuzzy Hash: 7AE19031A0C385CFC704DF68E88061AF7E6EB89315F09896DE5D58B351D736E910DB92

Function 00F9A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: e061d340d9db35bb33679b71b1ea1b2086b5cebd9b27a5f51cc2c824e708124c
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 51F1CD766087418FDB24CF29C88176BFBE2AFD8300F48882DE4D587751E639E945CB96

Function 00FD8E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cc056536d46e6d43b1613259549237496b2c79ec38b822ade067738b74e7da
Instruction ID: 7b3fb3ffd61a5805a583abe1555ef5fd9a9361d4b20ef38baf3892bb6180cc77
Opcode Fuzzy Hash: 40cc056536d46e6d43b1613259549237496b2c79ec38b822ade067738b74e7da
Instruction Fuzzy Hash: BDD1AD3060C280DFD705EF68D88062EFBE6EB8A315F09896DE5C58B351D736E810EB52

Function 00FA4487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c747714def3bb8ee3668c8bbd1f54631bdc3ac6f4a56dbbf229608ce624b24e
Instruction ID: ea546ee780ff74667771b18aad44a575899c4241c7cf2f2ae02edb24824a9a58
Opcode Fuzzy Hash: 0c747714def3bb8ee3668c8bbd1f54631bdc3ac6f4a56dbbf229608ce624b24e
Instruction Fuzzy Hash: B0E10EB5601B008FD321CF28D992B97B7E1FF46708F04882DE4AACB752E775B8149B54

Function 00FD6CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd2c98c8aa937a09e16101c57c840dc7aad954f68f6cb7057c59fa2da05c0e1
Instruction ID: 2e8c525717a9fa51e7084faad4efbe24004810473fb18cc78999f584ca9cd08a
Opcode Fuzzy Hash: 0bd2c98c8aa937a09e16101c57c840dc7aad954f68f6cb7057c59fa2da05c0e1
Instruction Fuzzy Hash: 79D10336618799CFC710CF3CE8C452AB7E2AB89314F194AADD491CB3A1D334DA44DB91

Function 00FD7AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80aeeacb79fbd235e3321663c223dbcf27e10c8674109369784960c647eedbf4
Instruction ID: fb9c5a7d919cd13c49eb885fab074d226957449b662453a8a00997191649cde1
Opcode Fuzzy Hash: 80aeeacb79fbd235e3321663c223dbcf27e10c8674109369784960c647eedbf4
Instruction Fuzzy Hash: B0B1E372A083504FE724EB28CC4176BB7E6ABC5314F4C4A2EE9999B391F735DC049792

Function 00F9AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: c47591d435c8e04dedb38194c41da42628a28d950d3494c1e0eada67c9c33da6
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 9CC197B2A087418FD730CF28DC96BABB7E1BF85318F08492CD1D9C6202E778A155CB46

Function 00FA6536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bab972434dfd525013d191750bea6a6cd01c561c8561a08b126f76e6d7e0dc6
Instruction ID: 237014e55362b69f3acd90d04474fc5eec260677e028a8266e3d2ca7005e96cb
Opcode Fuzzy Hash: 1bab972434dfd525013d191750bea6a6cd01c561c8561a08b126f76e6d7e0dc6
Instruction Fuzzy Hash: A6B1F1B4900B408FD321CF24C981B27BBF5AF56704F18885DE8AA8BB52E779F805DB55

Function 00FD7710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 298a712cfad4433d0ded0c04d5462ef89369a44bd44911ed9b396f0600248a8f
Instruction ID: 22c433e5134b248b4e3d802f0a167c6219d5b68b7787d0af5e30f9febd1d09be
Opcode Fuzzy Hash: 298a712cfad4433d0ded0c04d5462ef89369a44bd44911ed9b396f0600248a8f
Instruction Fuzzy Hash: 84918E75A0C341ABE720EB14DC80B6BB7E6EB85354F98481EF5848B351F734E950EB92

Function 00FDA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c379d3e5cf5d1beac40eb3435e08dedc0f75412addc4986e1fb06cc1fea3cce
Instruction ID: 46ebab9749ecc189271630afaef1521f29232b9ba9c0ef2ac9ab3ad5e0698506
Opcode Fuzzy Hash: 6c379d3e5cf5d1beac40eb3435e08dedc0f75412addc4986e1fb06cc1fea3cce
Instruction Fuzzy Hash: 2881AD346087058BD724DF29C880A2AB7F6FF89750F09892EE585CB351E731EC10DB96

Function 0114F9CC Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb22a27519ab99a31f3d4e2f8f1aaf6ae3aed11cea2ff8333b756a9c88b6de4
Instruction ID: eaed23428f7ab3dd478e0cbe4476295359a2e390e2ec0084b2464d34235d3c88
Opcode Fuzzy Hash: 6cb22a27519ab99a31f3d4e2f8f1aaf6ae3aed11cea2ff8333b756a9c88b6de4
Instruction Fuzzy Hash: B891C1F3F102254BF3584D39CC983A16682DBA0315F1F827C8F599B7C5D87E9C095288

Function 00FC64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3b950a537e0e85a14751700a42b174cd97244c7b992611e181252592ad5a41
Instruction ID: af67145f79641b1e42448309f3bbf8149b189092c44203cfdd9916d92648b319
Opcode Fuzzy Hash: 1a3b950a537e0e85a14751700a42b174cd97244c7b992611e181252592ad5a41
Instruction Fuzzy Hash: C371D433B6DA914BC714893C5D827A5BA834BD6334B3D877EE9B4CB3E5D52948066380

Function 00FB28E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234cda05072af55a97967140b940efe52264a50dc990f95c4bfe41440a91847a
Instruction ID: 30afae24f2e9ccd5fcf6820e9ed3646c9418b80eae12cde44af0692207382742
Opcode Fuzzy Hash: 234cda05072af55a97967140b940efe52264a50dc990f95c4bfe41440a91847a
Instruction Fuzzy Hash: 906189B48083408BD350AF19D891A6ABBF1FF96760F14491DF4C58B261E339D910EF6A

Function 00FB7C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f632c434d73f2f5d7634173f61bbfb4136f97299a9b45b1bbbe684f29c84eaa8
Instruction ID: 3e7b36e54abf7d458510d7af3dd9372a3ae65f715a54adf6eb0ce3ee90e0e118
Opcode Fuzzy Hash: f632c434d73f2f5d7634173f61bbfb4136f97299a9b45b1bbbe684f29c84eaa8
Instruction Fuzzy Hash: 0351A0B1A083049BDB20AB25CC92BB777B4EF85364F144958F985CB391F375D805EB61

Function 00FC1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 6902b15212fdabf2e1511da6cdac1900887f279cbf0bbf42421fa3e961bc5677
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: F861C332A0D3129BD714CE29C681B1FBBE2BBC6360F64C92DE4898B392D274DD55A741

Function 00FC82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46852824557e100792844afee8eb3b4e8e51e95198b858b7301280218b833739
Instruction ID: 018bbd8eeab3211c37b7dd9fe595f123f7c10a7aa3184831fd94ec9ee26063a7
Opcode Fuzzy Hash: 46852824557e100792844afee8eb3b4e8e51e95198b858b7301280218b833739
Instruction Fuzzy Hash: 12612923A5A9924BC318853C5D577A6AA831BD2770F3DC36ED9F18B3E5CD694803A381

Function 00FA42FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d145bac85a2c99d43bcacf11a0cc568dbef7c690d4392ec4389ff21acebee1
Instruction ID: d03615adbd062379059ab5c5fc9142545ac8332a93ce22015c9a3f8b0e0c057b
Opcode Fuzzy Hash: 89d145bac85a2c99d43bcacf11a0cc568dbef7c690d4392ec4389ff21acebee1
Instruction Fuzzy Hash: 0B81EFB4810B00AFD360EF39DD47797BEF4AB06301F504A1DE4EA96695E7306419DBE2

Function 00FCE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 123423bec9d4eeb546bfec95a695b78bcfd14ab1523f2d87cbf2b660fbd4719c
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: C8516EB19087548FE314DF69D89575BBBE1BBC5318F044E2DE4E987350E379D6088B82

Function 00FD7520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9230a315f883e974b22c856273fce2ea49a029afccd5ce17ee6fafba611a3bc0
Instruction ID: 30447613e0e8e0f0c68fb28255e8948887ba52a4471b660b9c20369d17e29ba3
Opcode Fuzzy Hash: 9230a315f883e974b22c856273fce2ea49a029afccd5ce17ee6fafba611a3bc0
Instruction Fuzzy Hash: A651073160C3149BC714AE18DC90B2EB7E7EB85768F2C8A2DE9D59B391E631EC10A751

Function 01254966 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2072383ba30be849c45a2a6236f290de6a379e3ec1af9096474c2dca51468d
Instruction ID: aa785094dc00b1df44126f0026f13c5412a32d07f48d84e6e7332dcf0e451b38
Opcode Fuzzy Hash: cd2072383ba30be849c45a2a6236f290de6a379e3ec1af9096474c2dca51468d
Instruction Fuzzy Hash: 9B51C3F393C644DFD3C4BE19ADD263AF7E5AB94220F16452EDAC683600F5B058C18686

Function 00F95A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febb55d7877d745069cf938a2bd8e8db277787b26237273b522919d2a4d94bff
Instruction ID: 488ea9ee8c4645db01cea9cf2992f8be0cc206691b86fe6d35bfdf9a1e233ec6
Opcode Fuzzy Hash: febb55d7877d745069cf938a2bd8e8db277787b26237273b522919d2a4d94bff
Instruction Fuzzy Hash: 2151F1B1E047049FEB15DF28C880926B7E1FF85324F55466CE8998B352D635EC42DB92

Function 01080FDD Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a56494ade46065482144e5b8dfc5bb80ebe8118ae21ccdb9f1c472ec718b0fa
Instruction ID: b23ecf6d7bf5266b3567f35b1007b6236d025226520a70343253207fc4d86f08
Opcode Fuzzy Hash: 9a56494ade46065482144e5b8dfc5bb80ebe8118ae21ccdb9f1c472ec718b0fa
Instruction Fuzzy Hash: 49410AF3F5931857E300692DED8436ABA96DBD4320F1A853DD6C853788F87A54094692

Function 00FBEC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1758f0df391cd57c2fd654b08579fbef4e7fafbf436aab46326aa29283229404
Instruction ID: 0b63725cae72766a7b0867303ff68dc089dc804cf3b001046f7fc347fb4d1f6c
Opcode Fuzzy Hash: 1758f0df391cd57c2fd654b08579fbef4e7fafbf436aab46326aa29283229404
Instruction Fuzzy Hash: FC417BB89003199BDF208F95DC91BEDB7B1FF0A310F144548E945AB3A1EB78A950EB91

Function 00FD9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83d13dbbc66db6ddd61bcb882aab641cea91388031c2d4ae3d49d18aadb335c
Instruction ID: 1f0a0edb8a20b057a3e1647f4d946f0296bd6993a2b733ec9ded36965bace2e9
Opcode Fuzzy Hash: d83d13dbbc66db6ddd61bcb882aab641cea91388031c2d4ae3d49d18aadb335c
Instruction Fuzzy Hash: 4841DD3461C345ABD710DB54D980B2EB7E7EB85B24F18882EF5899B351C3B5E810EB62

Function 01112FF9 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40bf04ea980e781cbf915912cc40e65bebe598f41e5698eaa507c273b92ede
Instruction ID: 672cf1ddda46fdc64da4a43ca5da39cc7447675c022d45c9cf2793d78e83bc1d
Opcode Fuzzy Hash: 3f40bf04ea980e781cbf915912cc40e65bebe598f41e5698eaa507c273b92ede
Instruction Fuzzy Hash: 58418EB3F111264BF3644D79CD483A266939BC5314F2B42788F0CABBC9D97D5D4A5288

Function 00FA2030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca30aefc2b9324c2b026c5f2ccb5b781f516c0f87adef544217ed9c2e4e9125f
Instruction ID: 59bb7e9f47fd066e3e9ae7f5a9d375a71cf61bdf45333f827ecd97d96815d1cb
Opcode Fuzzy Hash: ca30aefc2b9324c2b026c5f2ccb5b781f516c0f87adef544217ed9c2e4e9125f
Instruction Fuzzy Hash: 3D41D672A083654FD35CCF2EC4A023ABBE2ABC5310F09C66EE4D6873D4DA748945E781

Function 00FA1E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d922a807aa4a62112b2db489370d1938ea28f960e428c4760b6efd5f9c7ca3
Instruction ID: 4c22f75bb1ac5d736acc999bd190f8cbfee911526128ab924846be493f2e6025
Opcode Fuzzy Hash: 93d922a807aa4a62112b2db489370d1938ea28f960e428c4760b6efd5f9c7ca3
Instruction Fuzzy Hash: E941F2B4508380AFD320AB58C884B1EFBF5FB87354F14491DF6C497292C37AE8149B66

Function 01045EEB Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba70baf799f6d01cab0c6d65f0aabfe9fe500151969c53ee6b651ebb7039450c
Instruction ID: 43ef1ebf6ee331b161e0a8154441b0bf97814dbdaf28d5863cf6c177d375e098
Opcode Fuzzy Hash: ba70baf799f6d01cab0c6d65f0aabfe9fe500151969c53ee6b651ebb7039450c
Instruction Fuzzy Hash: 044105F3B541045BF34C5A29ECA577BB286EBD4321F2A453D9B86C77C0E83D590A4285

Function 00FD8D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86901753852560342fff1777d83b46a846b2f7d9023269141fe2c8d72b37319
Instruction ID: a00b0c127177cbdb93e76a9a2846544cd2011ae23db192ed5d662d3831168a20
Opcode Fuzzy Hash: c86901753852560342fff1777d83b46a846b2f7d9023269141fe2c8d72b37319
Instruction Fuzzy Hash: B241CE31A082548FC304DF68C49052EFBE7AF9A350F0D8A2ED4D59B3A1CB74DD028B86

Function 00FAD961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076fdab25ce9b156574272084ab91bfc9341c8e10bcc560c0017ab2b746ac402
Instruction ID: d80e2b5a95f06deabf31669ef8737a2ef340d2e9747175a9d2738d2569344ab6
Opcode Fuzzy Hash: 076fdab25ce9b156574272084ab91bfc9341c8e10bcc560c0017ab2b746ac402
Instruction Fuzzy Hash: 9641C2B16083858BD730DF10C881BAFB7B0FF96360F040958E48A8BB92E7784940EB57

Function 0112EAE9 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82527e0d7eeddba38994de003e0f24f7439f01a5c13673206a3763cf5ec5473e
Instruction ID: 67eab03ec9b86114a660f4d7e441e280b01e23ef7d28a80410bdd2146ca781d9
Opcode Fuzzy Hash: 82527e0d7eeddba38994de003e0f24f7439f01a5c13673206a3763cf5ec5473e
Instruction Fuzzy Hash: 5331F8F3A086008BF310AE2DDC8573ABBE6EBD4710F164A3CDAD4C3784E93999158657

Function 00FCF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: bc34223a0a09737fb12209dc3ef8df56c762c69be34d83a60bf62a614f858317
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: E3213A32D0811547C3249B19C581A3BF7E5EB99B14F06863ED8C497295E3359C1897D1

Function 00FD67EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723614f422076ca7a900e0a23ec2246896a0e2b56a1064e94c11b566c46466b5
Instruction ID: cf8b300e9328f7374a93f9e16dce45f4431eb26fc2644b7c11b447ceb073110e
Opcode Fuzzy Hash: 723614f422076ca7a900e0a23ec2246896a0e2b56a1064e94c11b566c46466b5
Instruction Fuzzy Hash: F03134705183829AD714DF14C4A062FFBF1EF96394F54580EF4C8AB262D338D985EB9A

Function 00FB5E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed5c0ab3d73c3c504302149932227e2776d943d092da83e5c6ef39dd7120fe9
Instruction ID: 35c4b97285a12e514b5c24bf618b8d26834710c5a88c49249e65ce5adc75cea4
Opcode Fuzzy Hash: 0ed5c0ab3d73c3c504302149932227e2776d943d092da83e5c6ef39dd7120fe9
Instruction Fuzzy Hash: 2021A1719082019BD311AF19C851A7BF7F4EF92B64F448908F4D59B292E338D900EBA3

Function 00F949A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: b20b247cf1224760a92594486c9c59570a9a3200314ffb5cbc5012274520df1c
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 8531EC31A582019BEB149E18D880E2BB7E1EFD5368F18856CE89A87241D235EC43EB46

Function 00FD64B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7dabc896bab78adc581bdc568472f682d857cc558a23dbbb7f9b8b40a69cb4c
Instruction ID: 930600dfe00470514255e8be15bf8e5e93ce00bb1b826bc21e8cf47899fd82d9
Opcode Fuzzy Hash: d7dabc896bab78adc581bdc568472f682d857cc558a23dbbb7f9b8b40a69cb4c
Instruction Fuzzy Hash: 96213674A0C2409BC704EF19D980A2EFBF6EB96755F2C881DE4C497362C335A850EB62

Function 00FA0EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4ee3d36d736b92cff174c5ed3894053f3895472bc933c04bfbf321ccfd342c
Instruction ID: cb095e34df89838aee9a6ff16665a2baf283c413ac27f2cfefdab697345c929f
Opcode Fuzzy Hash: 8d4ee3d36d736b92cff174c5ed3894053f3895472bc933c04bfbf321ccfd342c
Instruction Fuzzy Hash: 812139B4A0025A9FDB15CFA4DC90BBEBBB2FF4A304F144809E511BB292C735A901DB64

Function 00FD5700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e681ec746a394803c794fc76d4e5204677ca9da8767a9e1bcaa74ac6490bce
Instruction ID: 21430a0f66e7cc410f38dc90ec966c5e3e4b01dad42c2d0ada22935b13e05380
Opcode Fuzzy Hash: 61e681ec746a394803c794fc76d4e5204677ca9da8767a9e1bcaa74ac6490bce
Instruction Fuzzy Hash: 7411A37591C280EBC301AF28EC44A1BBBF6AF86B11F198829E4C49B311D335D811DB93

Function 0117814C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07e761581396a139362877a8e7650cb1dabbafef448f899f32762240b6035b0
Instruction ID: 015f337c83f5299bb6b8975109f81b6f1f91bb754b75aa3c1fb2d37f3361ea0e
Opcode Fuzzy Hash: e07e761581396a139362877a8e7650cb1dabbafef448f899f32762240b6035b0
Instruction Fuzzy Hash: 1621EAB250C204EFE305AF19DC8167EFBE5FB98350F16492DEAD483210D736A4509B57

Function 00FCB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f58071e569e07f9e48ff2221824d70cc7780a51098b44e44777848fda1b854a3
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: A911C637A051D60EC3168D3CC542A65BFA31AA3234F5943EDE4F49B2D2D7228D8AA354

Function 00FC0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: 44523d307ba0a3475690150ad7a68802feae7f6c2486cb3ca568459f8a53b8db
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: AD0175F5E0030397EB20DE5499D2F3BB2A96FC0728F18452CD41A97201DF79EC06E695

Function 00FBD1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9703ec2761ee046c12d6bc2a7ea7028c28fd20ba312b6478af9e39834539caf1
Instruction ID: 2c77a2678367985523e4069e7f52e3eeecec4a535c308fdec4a68e3f0131cd23
Opcode Fuzzy Hash: 9703ec2761ee046c12d6bc2a7ea7028c28fd20ba312b6478af9e39834539caf1
Instruction Fuzzy Hash: C011ECB0408380AFD310AF61C984A2FFBE5EBA6714F148C1DF6A49B251C379E819DF56

Function 00F96EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a35a5b592be85d890cf497c1f2ea7b26f29a2eed59c73f13efc1607ff637fce
Instruction ID: b3da0275a1a95c26b1c3400ffe859c21e51636c31a61502119260fb409b1e68f
Opcode Fuzzy Hash: 9a35a5b592be85d890cf497c1f2ea7b26f29a2eed59c73f13efc1607ff637fce
Instruction Fuzzy Hash: 71F0243AB2920A0BB610CDAAA88083BB3D6D7C9368B051539EA40D3201DD72E806A190

Function 00FCB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00FAC5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00FAB410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 4d55cb3b412d5d5e660b29d4d2af639cfcb70751d8e4dd96b56de1dc23d55c6f
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 26F0A0F1A086106BDB22CE589CC0B37BB9CCB8B364F190526EC8597203D261AC45C3E6

Function 00FC8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c53cc9bd3467e824ef98ef8c9e1921eaefae84630f57d8d95717a18e99e8d8
Instruction ID: 95985bad77f14739dcce0937229e0e152522aadaeb1f0b46049a881dd8db000b
Opcode Fuzzy Hash: 96c53cc9bd3467e824ef98ef8c9e1921eaefae84630f57d8d95717a18e99e8d8
Instruction Fuzzy Hash: 5001E4B04107019FC360EF29C445747BBE8EB09714F004A1DE8EECB791D770A544CB82

Function 00FD1440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: c866a33beef99c4a233ca0f49ad252c398830a3710f354967d83a04622d71ef1
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: A4D05E21A0832156AB64CE19A4009B7F7E1FA87B21B4D955FF586E3248D230DC41D2A9

Function 00FA1ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129ff772449d1730f7f1f9e5fa9aad420f17ef08b2e1608bb833a49ddaec6780
Instruction ID: 4e47843309ee8108a6cf7630a380de587bd6c1fe4bfe1fe91335e4a4a733e181
Opcode Fuzzy Hash: 129ff772449d1730f7f1f9e5fa9aad420f17ef08b2e1608bb833a49ddaec6780
Instruction Fuzzy Hash: 56C01234A5A0088B8204DF20E895932B3BAA307208B00602ADA03E7261CA60D40AA90A

Function 00FD6094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95056f1da5fe354eb13c3d36546e67e770d5187690c57ee1ee31cba365db321
Instruction ID: 03bd754548b3265d32903aa3a00bb208b1bfae9ae843052e9f22e865d65ce030
Opcode Fuzzy Hash: e95056f1da5fe354eb13c3d36546e67e770d5187690c57ee1ee31cba365db321
Instruction Fuzzy Hash: 96C09B3465C04487910CCF04D999575F3779BD7B14729B01FC8072B355D134D512B55C

Function 00FA1A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5521b5503ebdee5eab5fbfb96c194f65cdb34867367cff626f9abf2512c2c7
Instruction ID: 6e5e714d2e5907c4b75cca52c1ae0828c497b12d4e1e4e4d80586cbeef9f582e
Opcode Fuzzy Hash: 2c5521b5503ebdee5eab5fbfb96c194f65cdb34867367cff626f9abf2512c2c7
Instruction Fuzzy Hash: FAC09B35A9A044CBC244DF95E9D1931B3FE5307208B10703B9703F7261C560D409E509

Function 00FD5FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716059551.0000000000F91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1716047456.0000000000F90000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001181000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001264000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.0000000001292000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.000000000129B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716091437.00000000012AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716420633.00000000012AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716531140.0000000001452000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716542570.0000000001453000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34e5116f4178008b0cef458768ce04419921da457fdded40cdffa53b65e93b0
Instruction ID: e57ef49a5d764e887386cf04b028bdd6f1d6cc95551a76f09227de7138549c5c
Opcode Fuzzy Hash: c34e5116f4178008b0cef458768ce04419921da457fdded40cdffa53b65e93b0
Instruction Fuzzy Hash: C0C09234B680888BA24CCF18DD99935F2BB9BCBA18B15B02DC807AB256E134D512960C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 00FD50FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 00F9FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00F9D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00FD5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00FD695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00FA049B Relevance: .3, Instructions: 264
COMMON

Function 00FA0228 Relevance: .2, Instructions: 218
COMMON

Function 00FD3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00FD3202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON