Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1528314
MD5:	7f16de1753bdf759e86f0065ae087993
SHA1:	0cb99974e464c4f61d0c308ae4108bc0b3a029b0
SHA256:	1bf1af0c96cd1d473dcd319d8173af52b68930f29d1edc9e1c823fd960e547cf
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3040 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7F16DE1753BDF759E86F0065AE087993)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["clearancek.site", "spirittunek.stor", "licendfilteo.site", "studennotediw.stor", "dissapoiznw.stor", "bathdoomgaz.stor", "eaglepawnoy.stor", "mobbipenju.stor"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:16.220304+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.6	58624	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:15.858175+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.6	58536	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:16.195376+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.6	59167	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:16.183557+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.6	57109	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:16.245942+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.6	64768	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:16.157826+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.6	64556	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:16.232389+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.6	56523	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:13:16.208572+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.6	55910	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.3040.1.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "spirittunek.stor", "licendfilteo.site", "studennotediw.stor", "dissapoiznw.stor", "bathdoomgaz.stor", "eaglepawnoy.stor", "mobbipenju.stor"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.stor
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.stor
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.stor
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.stor
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.stor
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.stor
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49740 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_000650FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0002D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0002D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_000663B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00065700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	1_2_0006695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_000699D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_0002FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	1_2_00021000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00036F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	1_2_0005F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00064040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00066094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_0004D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00042260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	1_2_00042260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_000342FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	1_2_0002A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_000523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_000523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_000523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_000523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	1_2_000523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	1_2_000523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_0004E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	1_2_0003B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	1_2_00061440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0003D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_0004C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	1_2_000664B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00049510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	1_2_00067520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00036536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	1_2_00028590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_0005B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_0004E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	1_2_00067710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_0004D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	1_2_000667EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_000428E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	1_2_00063920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	1_2_0003D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	1_2_000249A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00031A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	1_2_00064A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	1_2_00025A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00031ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	1_2_00069B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	1_2_0003DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	1_2_0003DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00050B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	1_2_00033BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00031BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	1_2_00047C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	1_2_0005FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	1_2_0004EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_0004AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_0004AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	1_2_0004CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0004CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	1_2_0004CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00069CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	1_2_00069CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	1_2_0004FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	1_2_0004DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00068D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	1_2_00034E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	1_2_0004AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00047E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00045E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	1_2_00031E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00026EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	1_2_0002BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	1_2_00036EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_00030EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	1_2_00049F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_0005FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	1_2_00036F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	1_2_00067FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	1_2_00067FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00065FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	1_2_00028FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	1_2_0003FFDF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:59167 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:58624 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:64556 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:55910 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:57109 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:58536 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:64768 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:56523 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: spirittunek.stor
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: studennotediw.stor
Source: Malware configuration extractor	URLs: dissapoiznw.stor
Source: Malware configuration extractor	URLs: bathdoomgaz.stor
Source: Malware configuration extractor	URLs: eaglepawnoy.stor
Source: Malware configuration extractor	URLs: mobbipenju.stor

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=4cd710fa763484e6220656b9; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 07 Oct 2024 17:13:17 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control~ equals www.youtube.com (Youtube)
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000001.00000002.2323167716.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000001.00000002.2323167716.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: file.exe, 00000001.00000002.2323167716.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323341897.0000000000E74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000001.00000002.2323341897.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306332781.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306332781.0000000000E71000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307013354.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323341897.0000000000E74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000001.00000003.2306332781.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323425071.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307013354.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000001.00000003.2306332781.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49740 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00030228	1_2_00030228
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00021000	1_2_00021000
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00032030	1_2_00032030
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00064040	1_2_00064040
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001180BF	1_2_001180BF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0006A0D0	1_2_0006A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4	1_2_001FB0F4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0015E0EA	1_2_0015E0EA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001F1106	1_2_001F1106
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001F6172	1_2_001F6172
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0002E1A0	1_2_0002E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000271F0	1_2_000271F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000582D0	1_2_000582D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000512D0	1_2_000512D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000212F7	1_2_000212F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0002A300	1_2_0002A300
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000213A3	1_2_000213A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0002B3A0	1_2_0002B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000523E0	1_2_000523E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0004C470	1_2_0004C470
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00034487	1_2_00034487
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0003049B	1_2_0003049B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000564F0	1_2_000564F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00028590	1_2_00028590
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000235B0	1_2_000235B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0003C5F0	1_2_0003C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001EF5E8	1_2_001EF5E8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0005F620	1_2_0005F620
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0002164F	1_2_0002164F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001F964C	1_2_001F964C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00068652	1_2_00068652
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000686F0	1_2_000686F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FE717	1_2_001FE717
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001F47F5	1_2_001F47F5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000DE844	1_2_000DE844
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0002A850	1_2_0002A850
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00051860	1_2_00051860
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0005E8A0	1_2_0005E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0011A8B7	1_2_0011A8B7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001028B6	1_2_001028B6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0005B8C0	1_2_0005B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0004098B	1_2_0004098B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000689A0	1_2_000689A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00064A40	1_2_00064A40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00068A80	1_2_00068A80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00067AB0	1_2_00067AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00154B4A	1_2_00154B4A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0003DB6F	1_2_0003DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001F7B8C	1_2_001F7B8C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FCBDB	1_2_001FCBDB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00130BF3	1_2_00130BF3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_000A6BE3	1_2_000A6BE3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00027BF0	1_2_00027BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00068C02	1_2_00068C02
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00066CBF	1_2_00066CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001F2CDA	1_2_001F2CDA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0004CCD0	1_2_0004CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0004FD10	1_2_0004FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0004DD29	1_2_0004DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00048D62	1_2_00048D62
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00034E2A	1_2_00034E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0004AE57	1_2_0004AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00068E70	1_2_00068E70
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0002BEB0	1_2_0002BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00036EBF	1_2_00036EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0002AF10	1_2_0002AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00067FC0	1_2_00067FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00028FD0	1_2_00028FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001180BF	1_1_001180BF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001FB0F4	1_1_001FB0F4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_0015E0EA	1_1_0015E0EA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001F1106	1_1_001F1106
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001F6172	1_1_001F6172
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_0008547B	1_1_0008547B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001EF5E8	1_1_001EF5E8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001F964C	1_1_001F964C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001FE717	1_1_001FE717
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_0008778F	1_1_0008778F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001F47F5	1_1_001F47F5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_000DE844	1_1_000DE844
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001028B6	1_1_001028B6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_0011A8B7	1_1_0011A8B7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_000DAA24	1_1_000DAA24
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_00154B4A	1_1_00154B4A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001F7B8C	1_1_001F7B8C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001FCBDB	1_1_001FCBDB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_00130BF3	1_1_00130BF3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_000A6BE3	1_1_000A6BE3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_1_001F2CDA	1_1_001F2CDA

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0002CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0003D300 appears 152 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9995939047029703
Source: file.exe	Static PE information: Section: vrthgirk ZLIB complexity 0.9944816835902757

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00058220 CoCreateInstance,

1_2_00058220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1896960 > 1048576

Source: file.exe

Static PE information: Raw size of vrthgirk is bigger than: 0x100000 < 0x1a5a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.20000.0.unpack :EW;.rsrc :W;.idata :W; :EW;vrthgirk:EW;qmarxokm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;vrthgirk:EW;qmarxokm:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d2ce0 should be: 0x1dcce0

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: vrthgirk
Source: file.exe	Static PE information: section name: qmarxokm
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0020502F push 4D8A605Ah; mov dword ptr [esp], esp	1_2_0020508C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00291061 push 0DFE4FB5h; mov dword ptr [esp], eax	1_2_00291086
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00291061 push ebx; mov dword ptr [esp], ecx	1_2_002910AA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002A90A8 push 6D8EDF82h; mov dword ptr [esp], ebp	1_2_002A90EC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002A90A8 push ecx; mov dword ptr [esp], 7F7F0B01h	1_2_002A911A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004DF0ED push 1C55BD3Bh; mov dword ptr [esp], eax	1_2_004DF10F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001180BF push esi; mov dword ptr [esp], 6FFF7AD3h	1_2_00118143
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001180BF push ebp; mov dword ptr [esp], edi	1_2_00118198
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001180BF push 0B4899DBh; mov dword ptr [esp], ecx	1_2_001181B6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001180BF push eax; mov dword ptr [esp], edx	1_2_001181C3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001180BF push 0E3E666Eh; mov dword ptr [esp], ebx	1_2_001181F3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001180BF push eax; mov dword ptr [esp], edx	1_2_0011828E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_002A00F5 push edx; mov dword ptr [esp], esi	1_2_002A0169
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 60E295E5h; mov dword ptr [esp], eax	1_2_001FB102
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push edx; mov dword ptr [esp], ebx	1_2_001FB18C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 0CC6EA55h; mov dword ptr [esp], ecx	1_2_001FB25A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push eax; mov dword ptr [esp], ebx	1_2_001FB274
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push ecx; mov dword ptr [esp], esi	1_2_001FB28A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push esi; mov dword ptr [esp], 5B3E5C40h	1_2_001FB293
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push ebp; mov dword ptr [esp], edx	1_2_001FB2DE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push ebp; mov dword ptr [esp], eax	1_2_001FB421
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push esi; mov dword ptr [esp], ecx	1_2_001FB43C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 19EA5D64h; mov dword ptr [esp], edi	1_2_001FB4BF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 6D01426Fh; mov dword ptr [esp], ecx	1_2_001FB4C7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 294F687Eh; mov dword ptr [esp], ebp	1_2_001FB56C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push ecx; mov dword ptr [esp], 7EFC28C6h	1_2_001FB570
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 37FB45B0h; mov dword ptr [esp], edx	1_2_001FB5E5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 05105C11h; mov dword ptr [esp], edi	1_2_001FB64B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push 00588BB9h; mov dword ptr [esp], ebx	1_2_001FB65A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push eax; mov dword ptr [esp], 6C702DB4h	1_2_001FB6A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_001FB0F4 push edi; mov dword ptr [esp], 713A5347h	1_2_001FB6F5

Source: file.exe	Static PE information: section name: entropy: 7.981734006757534
Source: file.exe	Static PE information: section name: vrthgirk entropy: 7.9535508748545585

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2040DE second address: 2040ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F70AD0C53E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2043B9 second address: 2043DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F70ACF8B176h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F70ACF8B180h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2046F3 second address: 204700 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208592 second address: 20862C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F70ACF8B18Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F70ACF8B17Eh 0x00000010 nop 0x00000011 sbb esi, 0FA5B1B7h 0x00000017 jmp 00007F70ACF8B180h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F70ACF8B178h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 call 00007F70ACF8B17Ch 0x0000003d mov esi, 29C3CA00h 0x00000042 pop edx 0x00000043 call 00007F70ACF8B179h 0x00000048 pushad 0x00000049 pushad 0x0000004a jmp 00007F70ACF8B17Bh 0x0000004f push eax 0x00000050 pop eax 0x00000051 popad 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 20862C second address: 20866C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F70AD0C53ECh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F70AD0C53F2h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F70AD0C53F3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 20866C second address: 208676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F70ACF8B176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208676 second address: 20867A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 20867A second address: 20873C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F70ACF8B185h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F70ACF8B178h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c jmp 00007F70ACF8B188h 0x00000031 push 00000003h 0x00000033 or esi, dword ptr [ebp+122D2C12h] 0x00000039 push 00000000h 0x0000003b xor edi, 61A7F236h 0x00000041 push 00000003h 0x00000043 or dx, B9FBh 0x00000048 call 00007F70ACF8B179h 0x0000004d push ecx 0x0000004e push esi 0x0000004f jp 00007F70ACF8B176h 0x00000055 pop esi 0x00000056 pop ecx 0x00000057 push eax 0x00000058 jng 00007F70ACF8B18Eh 0x0000005e mov eax, dword ptr [esp+04h] 0x00000062 jbe 00007F70ACF8B197h 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007F70ACF8B185h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 20873C second address: 208740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208740 second address: 208767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jmp 00007F70ACF8B180h 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208828 second address: 2088EA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70AD0C53ECh 0x00000008 jnl 00007F70AD0C53E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 js 00007F70AD0C53F4h 0x00000019 push 00000000h 0x0000001b mov edx, 624FCC11h 0x00000020 mov esi, dword ptr [ebp+122D1BE3h] 0x00000026 call 00007F70AD0C53E9h 0x0000002b pushad 0x0000002c jp 00007F70AD0C53FDh 0x00000032 jmp 00007F70AD0C53F7h 0x00000037 push esi 0x00000038 jg 00007F70AD0C53E6h 0x0000003e pop esi 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 jmp 00007F70AD0C53F5h 0x00000047 pop eax 0x00000048 mov eax, dword ptr [esp+04h] 0x0000004c jmp 00007F70AD0C53F4h 0x00000051 mov eax, dword ptr [eax] 0x00000053 jmp 00007F70AD0C53EDh 0x00000058 mov dword ptr [esp+04h], eax 0x0000005c pushad 0x0000005d jmp 00007F70AD0C53F7h 0x00000062 push esi 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208A64 second address: 208A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208A6A second address: 208ABA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70AD0C53E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jl 00007F70AD0C53E6h 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 jmp 00007F70AD0C53EAh 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jp 00007F70AD0C53FEh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208ABA second address: 208B18 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70ACF8B17Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b sub edi, 5BC77F8Ch 0x00000011 push 00000003h 0x00000013 mov edx, 07AAF051h 0x00000018 mov dword ptr [ebp+122D284Dh], ebx 0x0000001e push 00000000h 0x00000020 jmp 00007F70ACF8B186h 0x00000025 push 00000003h 0x00000027 je 00007F70ACF8B17Ch 0x0000002d sub dword ptr [ebp+122D1C46h], edx 0x00000033 push 90509BD8h 0x00000038 push esi 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F70ACF8B17Ch 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208B18 second address: 208B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 208B1C second address: 208B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 2FAF6428h 0x0000000e jmp 00007F70ACF8B189h 0x00000013 lea ebx, dword ptr [ebp+1245848Bh] 0x00000019 mov esi, dword ptr [ebp+122D2A1Eh] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 jl 00007F70ACF8B176h 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 228EF4 second address: 228EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 228EF9 second address: 228F39 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F70ACF8B176h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F70ACF8B183h 0x00000012 pushad 0x00000013 je 00007F70ACF8B176h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c js 00007F70ACF8B17Eh 0x00000022 jnl 00007F70ACF8B176h 0x00000028 push edx 0x00000029 pop edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jnp 00007F70ACF8B176h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22709B second address: 2270A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2270A4 second address: 2270AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22736D second address: 227372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227A91 second address: 227A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227D04 second address: 227D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F70AD0C53EEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227FC5 second address: 227FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227FCB second address: 227FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227FCF second address: 227FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227FD3 second address: 227FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70AD0C53F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227FF4 second address: 227FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 227FFA second address: 228003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 228003 second address: 228007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 228007 second address: 228011 instructions: 0x00000000 rdtsc 0x00000002 js 00007F70AD0C53E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 21F212 second address: 21F21E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 21F21E second address: 21F224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 21F224 second address: 21F233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B17Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 228136 second address: 228141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 228141 second address: 228145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 228145 second address: 228149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2289CA second address: 2289D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2289D0 second address: 2289D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22B984 second address: 22B993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B17Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22BE06 second address: 22BE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F70AD0C53EAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22BF4D second address: 22BF99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B184h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnl 00007F70ACF8B184h 0x00000013 mov eax, dword ptr [eax] 0x00000015 jbe 00007F70ACF8B180h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22A8BA second address: 22A8BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22D4AB second address: 22D4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 22F6C9 second address: 22F6CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2351BA second address: 2351D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B17Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F70ACF8B176h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2351D6 second address: 2351DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2351DA second address: 235200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B189h 0x00000007 jne 00007F70ACF8B176h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23477E second address: 234782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 234782 second address: 23479C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F70ACF8B176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F70ACF8B17Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 234E9E second address: 234EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23502B second address: 23503B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F70ACF8B176h 0x00000008 jl 00007F70ACF8B176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23503B second address: 235047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F70AD0C53E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 235047 second address: 235063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F70ACF8B183h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2368F3 second address: 2368F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23698C second address: 2369D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 295C990Ch 0x00000011 or edi, 021BEDEBh 0x00000017 push BACEAF41h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F70ACF8B188h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 236D7C second address: 236D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 236F4D second address: 236F57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F70ACF8B176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 237604 second address: 237612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F70AD0C53E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 237966 second address: 23796A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23796A second address: 23797F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F70AD0C53E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F70AD0C53E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 237AFE second address: 237B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 237BA4 second address: 237BD6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F70AD0C53E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F70AD0C53E8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 237BD6 second address: 237BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 237BDD second address: 237C00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F70AD0C53F5h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 238A86 second address: 238A8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 238A8C second address: 238A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F70AD0C53E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 239E7B second address: 239E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70ACF8B182h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23B2A4 second address: 23B2C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F70AD0C53F4h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23A5FD second address: 23A617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B186h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23AFAA second address: 23AFD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F70AD0C53EFh 0x00000012 jg 00007F70AD0C53E6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23B2C0 second address: 23B2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23AFD5 second address: 23AFDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23C837 second address: 23C83B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23C83B second address: 23C841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23C841 second address: 23C847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23C5C1 second address: 23C5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23D0DE second address: 23D0E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 241CA1 second address: 241CA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 241E7F second address: 241E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 242F3C second address: 242F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 243C41 second address: 243C66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B180h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jl 00007F70ACF8B176h 0x00000013 jo 00007F70ACF8B176h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 243061 second address: 243065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 243F10 second address: 243F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 245D2A second address: 245D30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 245D30 second address: 245D76 instructions: 0x00000000 rdtsc 0x00000002 js 00007F70ACF8B178h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, DAE0h 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 mov edx, dword ptr [ebp+122D256Ah] 0x0000001c mov bx, di 0x0000001f popad 0x00000020 push 00000000h 0x00000022 mov edi, dword ptr [ebp+122D2595h] 0x00000028 xchg eax, esi 0x00000029 jmp 00007F70ACF8B182h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jno 00007F70ACF8B178h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 244F3E second address: 244F74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70AD0C53F5h 0x00000008 jmp 00007F70AD0C53F5h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 244F74 second address: 244F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 248EDE second address: 248EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 247F33 second address: 247F42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 248EE2 second address: 248EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70AD0C53F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 247F42 second address: 247F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F70ACF8B176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 248EF9 second address: 248F32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, 00303124h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 mov ebx, dword ptr [ebp+122D227Dh] 0x0000001b movzx ebx, si 0x0000001e xchg eax, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jl 00007F70AD0C53E6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 247F4C second address: 248005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B184h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e clc 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F70ACF8B178h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D2721h], ebx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jbe 00007F70ACF8B17Bh 0x00000043 and di, B7C7h 0x00000048 mov dword ptr [ebp+12452D84h], edx 0x0000004e mov eax, dword ptr [ebp+122D1191h] 0x00000054 mov di, 6B53h 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007F70ACF8B178h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 00000017h 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 mov ebx, 16939DD1h 0x00000079 nop 0x0000007a jmp 00007F70ACF8B189h 0x0000007f push eax 0x00000080 jc 00007F70ACF8B184h 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 248F32 second address: 248F3C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F70AD0C53E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 248005 second address: 24800B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 248F3C second address: 248F41 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 249FA4 second address: 249FB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F70ACF8B17Eh 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24C0B6 second address: 24C13D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70AD0C53EEh 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007F70AD0C53EAh 0x00000013 push 00000000h 0x00000015 mov ebx, dword ptr [ebp+122D2C46h] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F70AD0C53E8h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 mov ebx, dword ptr [ebp+12455E6Eh] 0x0000003d xchg eax, esi 0x0000003e push ebx 0x0000003f jmp 00007F70AD0C53EFh 0x00000044 pop ebx 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 jmp 00007F70AD0C53F9h 0x0000004e ja 00007F70AD0C53E6h 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24D1DB second address: 24D1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24E226 second address: 24E22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24E22A second address: 24E27F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F70ACF8B176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, dword ptr [ebp+122D1D10h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F70ACF8B178h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 clc 0x00000031 jmp 00007F70ACF8B180h 0x00000036 push 00000000h 0x00000038 mov edi, dword ptr [ebp+122D2B66h] 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24E27F second address: 24E283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24E283 second address: 24E289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25082C second address: 250853 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F70AD0C53F8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 250853 second address: 250857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 250857 second address: 25085B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25085B second address: 250861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 250861 second address: 2508AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and di, 1C45h 0x0000000f push 00000000h 0x00000011 adc bh, FFFFFF92h 0x00000014 push 00000000h 0x00000016 pushad 0x00000017 mov edx, dword ptr [ebp+122D2852h] 0x0000001d mov ebx, dword ptr [ebp+122D2C06h] 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F70AD0C53F8h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2527D6 second address: 2527F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B187h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2527F1 second address: 2527F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2527F5 second address: 252815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F70ACF8B183h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 252815 second address: 25281F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F70AD0C53E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25D283 second address: 25D29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70ACF8B17Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25D29C second address: 25D2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25D2A0 second address: 25D2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1F4389 second address: 1F43AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70AD0C53EFh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F70AD0C53EDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25C9CF second address: 25C9D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25CB31 second address: 25CB6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53F8h 0x00000007 jp 00007F70AD0C53E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F70AD0C53ECh 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25CB6A second address: 25CB8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70ACF8B180h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F70ACF8B17Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25CE1D second address: 25CE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 jmp 00007F70AD0C53F1h 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F70AD0C53E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25CE3F second address: 25CE4D instructions: 0x00000000 rdtsc 0x00000002 je 00007F70ACF8B176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25CE4D second address: 25CE51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24B26C second address: 24B272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 263E7F second address: 263E85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 263E85 second address: 263E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24D3CC second address: 24D3D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24D3D1 second address: 24D47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F70ACF8B17Dh 0x0000000f nop 0x00000010 mov edi, 1AD061AAh 0x00000015 push dword ptr fs:[00000000h] 0x0000001c jmp 00007F70ACF8B186h 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F70ACF8B178h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 mov edi, 11F3FCF1h 0x00000047 mov eax, dword ptr [ebp+122D1771h] 0x0000004d jmp 00007F70ACF8B180h 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push eax 0x00000057 call 00007F70ACF8B178h 0x0000005c pop eax 0x0000005d mov dword ptr [esp+04h], eax 0x00000061 add dword ptr [esp+04h], 0000001Bh 0x00000069 inc eax 0x0000006a push eax 0x0000006b ret 0x0000006c pop eax 0x0000006d ret 0x0000006e push eax 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 push edi 0x00000073 pop edi 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 250A2D second address: 250A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 250A38 second address: 250A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 250A3C second address: 250AC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F70AD0C53ECh 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F70AD0C53E8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f and ebx, dword ptr [ebp+122D2AD2h] 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov eax, dword ptr [ebp+122D0DD1h] 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007F70AD0C53E8h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c push eax 0x0000005d mov dword ptr [ebp+12473205h], eax 0x00000063 pop edi 0x00000064 push FFFFFFFFh 0x00000066 mov dword ptr [ebp+122D232Ah], eax 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jc 00007F70AD0C53ECh 0x00000075 js 00007F70AD0C53E6h 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1FAC3E second address: 1FAC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1FAC44 second address: 1FAC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1FAC4A second address: 1FAC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1FAC58 second address: 1FAC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1FAC5E second address: 1FAC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 267A56 second address: 267A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 267A5A second address: 267A66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F70ACF8B176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 267A66 second address: 267A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F70AD0C53E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 267A70 second address: 267A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268068 second address: 26806E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26806E second address: 2680D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F70ACF8B17Eh 0x0000000c jmp 00007F70ACF8B187h 0x00000011 jng 00007F70ACF8B178h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F70ACF8B180h 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 push esi 0x00000025 pop esi 0x00000026 popad 0x00000027 pushad 0x00000028 jnc 00007F70ACF8B176h 0x0000002e jmp 00007F70ACF8B184h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2683E2 second address: 2683E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2683E6 second address: 2683EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2683EE second address: 26840E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F70AD0C53E6h 0x0000000a jmp 00007F70AD0C53F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26840E second address: 26842D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F70ACF8B186h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26856B second address: 268583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F70AD0C53F1h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268583 second address: 268591 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268591 second address: 2685A3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F70AD0C53E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F70AD0C53E8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26871A second address: 268728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F70ACF8B17Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268728 second address: 26872C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26872C second address: 268738 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F70ACF8B17Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268738 second address: 268763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jo 00007F70AD0C53E6h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007F70AD0C53E6h 0x00000019 pop ecx 0x0000001a jmp 00007F70AD0C53F1h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268BD7 second address: 268BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268BDD second address: 268BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268BE1 second address: 268BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26E929 second address: 26E94E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F70AD0C53E6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F70AD0C53F4h 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26E94E second address: 26E97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B17Ah 0x00000009 jmp 00007F70ACF8B180h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jbe 00007F70ACF8B19Dh 0x00000017 push edx 0x00000018 jnc 00007F70ACF8B176h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26EAF0 second address: 26EAF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26EF20 second address: 26EF24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F0B2 second address: 26F0D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F70AD0C53E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F3A4 second address: 26F3CF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F70ACF8B188h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 jbe 00007F70ACF8B176h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F6D1 second address: 26F6D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F6D5 second address: 26F6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F70ACF8B176h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F864 second address: 26F872 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 js 00007F70AD0C53ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26FDB8 second address: 26FDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26E6CC second address: 26E6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27355B second address: 273564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 273564 second address: 273575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70AD0C53ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27618C second address: 2761A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B181h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2761A3 second address: 2761A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2761A7 second address: 2761AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2761AD second address: 2761B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2761B7 second address: 2761BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27B42F second address: 27B436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1F2760 second address: 1F276D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23FCDB second address: 23FCE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F70AD0C53E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 23FCE5 second address: 21F212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B189h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D262Ah], ecx 0x00000012 lea eax, dword ptr [ebp+1248F9C0h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F70ACF8B178h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push eax 0x00000033 push edi 0x00000034 jmp 00007F70ACF8B187h 0x00000039 pop edi 0x0000003a mov dword ptr [esp], eax 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F70ACF8B178h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000016h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov ch, 17h 0x00000059 call dword ptr [ebp+122D2384h] 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jno 00007F70ACF8B176h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 240C67 second address: 240C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 240FC9 second address: 241040 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70ACF8B176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F70ACF8B17Ch 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F70ACF8B178h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c sub edi, dword ptr [ebp+122D1BCAh] 0x00000032 lea eax, dword ptr [ebp+1248FA04h] 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F70ACF8B178h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D2146h], eax 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jno 00007F70ACF8B17Ch 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 241040 second address: 241046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 241046 second address: 24104A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 24104A second address: 2410C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F70AD0C53F8h 0x0000000f jmp 00007F70AD0C53F9h 0x00000014 popad 0x00000015 nop 0x00000016 mov dx, ax 0x00000019 lea eax, dword ptr [ebp+1248F9C0h] 0x0000001f pushad 0x00000020 mov dword ptr [ebp+122D189Bh], ecx 0x00000026 add ebx, 0DC8F104h 0x0000002c popad 0x0000002d pushad 0x0000002e mov dword ptr [ebp+122D232Eh], ebx 0x00000034 jmp 00007F70AD0C53F5h 0x00000039 popad 0x0000003a push eax 0x0000003b push ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jp 00007F70AD0C53E6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2410C5 second address: 21FD07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F70ACF8B178h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dl, 4Ch 0x00000026 call dword ptr [ebp+122D2D5Dh] 0x0000002c jmp 00007F70ACF8B185h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push esi 0x00000035 pop esi 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27A52A second address: 27A530 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27A530 second address: 27A572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F70ACF8B190h 0x0000000c jmp 00007F70ACF8B184h 0x00000011 js 00007F70ACF8B176h 0x00000017 jmp 00007F70ACF8B180h 0x0000001c popad 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 jg 00007F70ACF8B176h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27A572 second address: 27A587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F70AD0C53ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27A9B7 second address: 27A9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27AC64 second address: 27AC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F70AD0C53E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27AC72 second address: 27AC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F70ACF8B17Eh 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007F70ACF8B176h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27AC85 second address: 27AC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F70AD0C53E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27AC91 second address: 27AC95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27AC95 second address: 27ACA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F70AD0C53E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27F8EA second address: 27F8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27F8F3 second address: 27F929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F70AD0C53E8h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F70AD0C53ECh 0x00000017 jmp 00007F70AD0C53EAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27F929 second address: 27F933 instructions: 0x00000000 rdtsc 0x00000002 je 00007F70ACF8B176h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2802DF second address: 2802F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F70AD0C53E6h 0x0000000f jnc 00007F70AD0C53E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2802F4 second address: 2802F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2802F8 second address: 280308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F70AD0C53E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 280308 second address: 280324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B184h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 280482 second address: 280486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 280486 second address: 28049A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F70ACF8B17Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 28049A second address: 2804A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F70AD0C53E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2804A5 second address: 2804AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2804AB second address: 2804CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007F70AD0C53F5h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2804CC second address: 2804E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F70ACF8B183h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2804E7 second address: 2804EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 280653 second address: 280659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 283AF8 second address: 283B0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F70AD0C53ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 283B0E second address: 283B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 283816 second address: 28381C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 28381C second address: 283820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 286ABE second address: 286ADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53EFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F70AD0C53EEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 286ADB second address: 286AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 286AE8 second address: 286AEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 286682 second address: 286688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 286688 second address: 28668D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2867D7 second address: 2867E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F70ACF8B176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2867E1 second address: 2867E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2867E5 second address: 2867ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2919DD second address: 2919E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2919E5 second address: 291A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F70ACF8B176h 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F70ACF8B182h 0x00000018 popad 0x00000019 jmp 00007F70ACF8B187h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29097C second address: 290982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290AEC second address: 290AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290AF0 second address: 290AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290AF6 second address: 290B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290B11 second address: 290B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290B15 second address: 290B1F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F70ACF8B176h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290B1F second address: 290B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F70AD0C53F3h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290B3A second address: 290B46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290B46 second address: 290B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290CB0 second address: 290CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290CB4 second address: 290CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290CB8 second address: 290CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 290CBE second address: 290CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 293002 second address: 29301C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F70ACF8B17Ch 0x0000000b pushad 0x0000000c je 00007F70ACF8B176h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297081 second address: 297085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297335 second address: 297383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F70ACF8B183h 0x0000000b jc 00007F70ACF8B176h 0x00000011 jmp 00007F70ACF8B17Bh 0x00000016 popad 0x00000017 pop edi 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007F70ACF8B17Fh 0x0000001f jmp 00007F70ACF8B17Ch 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297607 second address: 29760D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29760D second address: 297613 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297613 second address: 29761D instructions: 0x00000000 rdtsc 0x00000002 je 00007F70AD0C53ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 299EBC second address: 299ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F70ACF8B17Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 299ED3 second address: 299ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 299ED9 second address: 299F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F70ACF8B176h 0x0000000a popad 0x0000000b ja 00007F70ACF8B17Ch 0x00000011 jl 00007F70ACF8B178h 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jp 00007F70ACF8B176h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 299F02 second address: 299F08 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A14BD second address: 2A14C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A14C2 second address: 2A14C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29F7F7 second address: 29F805 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F70ACF8B176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29F805 second address: 29F821 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F70AD0C53E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f jg 00007F70AD0C53E6h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29F821 second address: 29F825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A02EB second address: 2A02F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A05C3 second address: 2A05C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A085C second address: 2A086F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F70AD0C53EEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A086F second address: 2A0884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B181h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0884 second address: 2A088E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F70AD0C53E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0B7A second address: 2A0B98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B186h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0B98 second address: 2A0BAC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F70AD0C53E6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0BAC second address: 2A0BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B184h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0BC4 second address: 2A0BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0BD0 second address: 2A0BEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B188h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A54E3 second address: 2A54EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A54EC second address: 2A54FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B17Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A45A7 second address: 2A45AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A45AB second address: 2A45CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B187h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A45CA second address: 2A45E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70AD0C53F6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A45E4 second address: 2A45EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A475A second address: 2A4764 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F70AD0C53E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4764 second address: 2A476A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A476A second address: 2A476E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A48AE second address: 2A48C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F70ACF8B176h 0x0000000a jo 00007F70ACF8B176h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A48C5 second address: 2A48C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A48C9 second address: 2A48D5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F70ACF8B176h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A48D5 second address: 2A48FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jl 00007F70AD0C53F2h 0x00000010 jne 00007F70AD0C53E6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4A5A second address: 2A4A5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4BE5 second address: 2A4BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4BE9 second address: 2A4BFC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F70ACF8B17Eh 0x00000008 jnl 00007F70ACF8B176h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4D66 second address: 2A4D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F70AD0C53E8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4D74 second address: 2A4D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F70ACF8B176h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A5015 second address: 2A5019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A518E second address: 2A51A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F70ACF8B176h 0x0000000a jo 00007F70ACF8B178h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A51A6 second address: 2A51BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70AD0C53F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A51BE second address: 2A51E7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F70ACF8B176h 0x00000008 jng 00007F70ACF8B176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F70ACF8B184h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A51E7 second address: 2A51ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9EF0 second address: 2A9F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B182h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9F06 second address: 2A9F0F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9F0F second address: 2A9F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F70ACF8B176h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F70ACF8B188h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007F70ACF8B180h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 jc 00007F70ACF8B176h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B2C26 second address: 2B2C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0D9E second address: 2B0DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0DA4 second address: 2B0DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0DA8 second address: 2B0DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0DAC second address: 2B0DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0DB2 second address: 2B0DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F70ACF8B189h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F70ACF8B186h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0DEB second address: 2B0E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70AD0C53F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0E01 second address: 2B0E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F70ACF8B180h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0E1D second address: 2B0E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B1358 second address: 2B1367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jng 00007F70ACF8B182h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B1367 second address: 2B136D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B136D second address: 2B1390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F70ACF8B183h 0x0000000b jmp 00007F70ACF8B17Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B1685 second address: 2B168B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B168B second address: 2B16A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F70ACF8B17Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B1AE4 second address: 2B1AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B08CB second address: 2B08E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F70ACF8B17Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B904F second address: 2B9053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B9053 second address: 2B9059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B9059 second address: 2B906C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F70AD0C53EAh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B906C second address: 2B9072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B9072 second address: 2B9076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B91DF second address: 2B91F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F70ACF8B181h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B91F9 second address: 2B922E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F70AD0C53E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F70AD0C53ECh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F70AD0C53FEh 0x0000001a jmp 00007F70AD0C53F2h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B922E second address: 2B9232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C5449 second address: 2C544D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C544D second address: 2C5451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C5451 second address: 2C5460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 je 00007F70AD0C53ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C5460 second address: 2C5468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C5468 second address: 2C546C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2C52DC second address: 2C52EF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70ACF8B176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jp 00007F70ACF8B176h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CC2A5 second address: 2CC2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CBC4F second address: 2CBC5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B17Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CBC5F second address: 2CBC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F70AD0C53F4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CBC79 second address: 2CBC95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B188h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CBC95 second address: 2CBC99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CBC99 second address: 2CBCC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B183h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jns 00007F70ACF8B176h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CBCC3 second address: 2CBCC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CBCC7 second address: 2CBCDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B180h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CDA04 second address: 2CDA1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F70AD0C53ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CDA1E second address: 2CDA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F70ACF8B176h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CDA2B second address: 2CDA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1F0C18 second address: 1F0C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B17Ah 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F70ACF8B176h 0x00000014 jmp 00007F70ACF8B17Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E32C1 second address: 2E32CB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F70AD0C53E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E32CB second address: 2E32D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E32D4 second address: 2E32FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F70AD0C53E6h 0x0000000a jmp 00007F70AD0C53F7h 0x0000000f popad 0x00000010 js 00007F70AD0C53ECh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E86FB second address: 2E8709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8709 second address: 2E870F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E89C7 second address: 2E89CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E89CB second address: 2E89D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F70AD0C53E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E89D7 second address: 2E89DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E89DD second address: 2E89E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E89E1 second address: 2E8A12 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F70ACF8B188h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jns 00007F70ACF8B176h 0x00000012 pop edi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 jne 00007F70ACF8B17Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8B0C second address: 2E8B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70AD0C53F6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8B29 second address: 2E8B48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70ACF8B184h 0x00000008 jnc 00007F70ACF8B176h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8B48 second address: 2E8B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F70AD0C53EAh 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F70AD0C53E8h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8E22 second address: 2E8E38 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F70ACF8B17Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8E38 second address: 2E8E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8E3C second address: 2E8E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F70ACF8B176h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8E53 second address: 2E8E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E8E57 second address: 2E8E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ED71E second address: 2ED722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ED722 second address: 2ED735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F70ACF8B17Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ED418 second address: 2ED41E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FBC8A second address: 2FBCD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70ACF8B188h 0x00000008 jmp 00007F70ACF8B17Ah 0x0000000d jg 00007F70ACF8B176h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F70ACF8B17Dh 0x0000001d jmp 00007F70ACF8B182h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FBCD9 second address: 2FBCDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FBCDF second address: 2FBD09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B181h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007F70ACF8B176h 0x00000010 je 00007F70ACF8B176h 0x00000016 jne 00007F70ACF8B176h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D6DD second address: 30D6F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70AD0C53F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D6F5 second address: 30D708 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F70ACF8B176h 0x00000008 jg 00007F70ACF8B176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D296 second address: 30D2F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70AD0C53F9h 0x00000007 jmp 00007F70AD0C53F0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F70AD0C53EDh 0x00000016 pop eax 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b jmp 00007F70AD0C53F5h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D2F0 second address: 30D30A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70ACF8B180h 0x00000009 jl 00007F70ACF8B176h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D30A second address: 30D30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 324F2D second address: 324F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B184h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F70ACF8B176h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325D16 second address: 325D1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325D1B second address: 325D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F70ACF8B176h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32767E second address: 327682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 327682 second address: 3276A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B183h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 329F3E second address: 329F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32A175 second address: 32A189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B17Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32A266 second address: 32A26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32A26B second address: 32A272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32A48A second address: 32A4DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F70AD0C53E6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F70AD0C53E8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dl, CDh 0x00000029 push dword ptr [ebp+122D2DE7h] 0x0000002f jp 00007F70AD0C53ECh 0x00000035 push 989F4D0Fh 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32A4DA second address: 32A4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32A4DF second address: 32A4E9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70AD0C53ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32B88F second address: 32B89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32B89A second address: 32B8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32B8A0 second address: 32B8B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F70ACF8B180h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32B8B6 second address: 32B8BB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32D4C8 second address: 32D4E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F70ACF8B176h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jne 00007F70ACF8B17Ch 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32D4E8 second address: 32D4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32D4EC second address: 32D508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B188h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32D508 second address: 32D50E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32D50E second address: 32D52E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B186h 0x00000007 jc 00007F70ACF8B17Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32F0E7 second address: 32F0ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32F0ED second address: 32F0F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20D90 second address: 4C20DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70AD0C53F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20DA8 second address: 4C20DE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70ACF8B17Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, ecx 0x0000000d jmp 00007F70ACF8B186h 0x00000012 jns 00007F70ACF8B1B4h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F70ACF8B17Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20DE5 second address: 4C20DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20DE9 second address: 4C20DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C20DEF second address: 4C20DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 239C4F second address: 239C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 239C53 second address: 239C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 22AA1F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 22A639 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 23FE94 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 2BEF3F instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4136

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000001.2274473921.000000000020F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.2323341897.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306332781.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: file.exe, 00000001.00000002.2323341897.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307013354.0000000000E96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.2323167716.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: file.exe, 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000001.2274473921.000000000020F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00065BB0 LdrInitializeThunk,

1_2_00065BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor

Source: file.exe, file.exe, 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	5 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
eaglepawnoy.store	unknown	unknown	false	unknown
bathdoomgaz.store	unknown	unknown	false	unknown
spirittunek.store	unknown	unknown	false	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	false	unknown
mobbipenju.store	unknown	unknown	false	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
studennotediw.stor	true		unknown
spirittunek.stor	true		unknown
eaglepawnoy.stor	true		unknown
clearancek.site	true		unknown
mobbipenju.stor	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
licendfilteo.site	true		unknown
bathdoomgaz.stor	true		unknown
dissapoiznw.stor	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000001.00000003.2306332781.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000001.00000002.2323167716.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=AeTz	file.exe, 00000001.00000002.2323167716.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R	file.exe, 00000001.00000002.2323167716.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/	file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000001.00000003.2306332781.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323341897.0000000000E74000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000001.00000003.2306092931.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000001.00000003.2306332781.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323425071.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307013354.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2323288064.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.2307607729.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000001.00000003.2306092931.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528314
Start date and time:	2024-10-07 19:12:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:13:14	API Interceptor	2x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	down.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	http://kendellseafoods.com/	Get hash	malicious	Unknown	Browse	104.102.44.86
	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DocuSign-Docx.pdf	Get hash	malicious	Unknown	Browse	88.221.168.23
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	down.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	45Ywq5ad5H.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	f1r6P3j3g7.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	NdSXVNeoET.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CatalogApp.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949222538541043
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'896'960 bytes
MD5:	7f16de1753bdf759e86f0065ae087993
SHA1:	0cb99974e464c4f61d0c308ae4108bc0b3a029b0
SHA256:	1bf1af0c96cd1d473dcd319d8173af52b68930f29d1edc9e1c823fd960e547cf
SHA512:	3bc6b2d2d42379b8d41b037f3b25739a2bfe0d3e5b10fd7d33aa163d38ab942749bf8b24aec1a9a3f80b4d94342cb6c1e11ec95660ebc70bc4dd945c367d2587
SSDEEP:	49152:IXeBO1b17+hdU1jCjNjw2lfRxYz5u4eiUGOl:IMu5nujNkS5+u
TLSH:	B4953344AC9452E2F618BDB58F8BE93C35F5801098DA092A7E8976E71BE37373293C15
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................L...........@..........................0L......,....@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8c0000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F70ACB59EDAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	12cfdac9b2b27a5350f545bbf8e107d6	False	0.9995939047029703	data	7.981734006757534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2b9000	0x200	1c264ecbbecb7689e6391728dba33519	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vrthgirk	0x319000	0x1a6000	0x1a5a00	89b33bdf987a5ad668ccfbf97d2ff2bc	False	0.9944816835902757	data	7.9535508748545585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qmarxokm	0x4bf000	0x1000	0x400	4d73c02553d91337f8e730f4d6fbaa64	False	0.736328125	data	5.870379361028447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4c0000	0x3000	0x2200	e56e1720d6e211b25256589aeb850868	False	0.064453125	DOS executable (COM)	0.77151158573759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T19:13:15.858175+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.6	58536	1.1.1.1	53	UDP
2024-10-07T19:13:16.157826+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.6	64556	1.1.1.1	53	UDP
2024-10-07T19:13:16.183557+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.6	57109	1.1.1.1	53	UDP
2024-10-07T19:13:16.195376+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.6	59167	1.1.1.1	53	UDP
2024-10-07T19:13:16.208572+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.6	55910	1.1.1.1	53	UDP
2024-10-07T19:13:16.220304+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.6	58624	1.1.1.1	53	UDP
2024-10-07T19:13:16.232389+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.6	56523	1.1.1.1	53	UDP
2024-10-07T19:13:16.245942+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.6	64768	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 19:13:16.274652004 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:16.274743080 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:16.274835110 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:16.304542065 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:16.304574013 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:16.991396904 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:16.991563082 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:16.993416071 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:16.993427038 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:16.993680954 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.040975094 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.089642048 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.131403923 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.582989931 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.583018064 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.583061934 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.583085060 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.583108902 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.583126068 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.583146095 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.583168983 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.583230019 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.700534105 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.700608969 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.700643063 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.700679064 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.700740099 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.773684025 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.773729086 CEST	443	49740	104.102.49.254	192.168.2.6
Oct 7, 2024 19:13:17.773744106 CEST	49740	443	192.168.2.6	104.102.49.254
Oct 7, 2024 19:13:17.773751974 CEST	443	49740	104.102.49.254	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 19:13:15.858175039 CEST	58536	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.147808075 CEST	53	58536	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.157825947 CEST	64556	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.180682898 CEST	53	64556	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.183557034 CEST	57109	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.192917109 CEST	53	57109	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.195375919 CEST	59167	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.206336975 CEST	53	59167	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.208571911 CEST	55910	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.217844963 CEST	53	55910	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.220304012 CEST	58624	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.230253935 CEST	53	58624	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.232388973 CEST	56523	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.243619919 CEST	53	56523	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.245942116 CEST	64768	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.256119967 CEST	53	64768	1.1.1.1	192.168.2.6
Oct 7, 2024 19:13:16.260615110 CEST	55088	53	192.168.2.6	1.1.1.1
Oct 7, 2024 19:13:16.269241095 CEST	53	55088	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 19:13:15.858175039 CEST	192.168.2.6	1.1.1.1	0x2b9a	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.157825947 CEST	192.168.2.6	1.1.1.1	0x6b96	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.183557034 CEST	192.168.2.6	1.1.1.1	0x4655	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.195375919 CEST	192.168.2.6	1.1.1.1	0x6f75	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.208571911 CEST	192.168.2.6	1.1.1.1	0x6987	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.220304012 CEST	192.168.2.6	1.1.1.1	0xc3f	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.232388973 CEST	192.168.2.6	1.1.1.1	0x36a4	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.245942116 CEST	192.168.2.6	1.1.1.1	0x8537	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.260615110 CEST	192.168.2.6	1.1.1.1	0xe8b5	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 19:13:16.147808075 CEST	1.1.1.1	192.168.2.6	0x2b9a	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.180682898 CEST	1.1.1.1	192.168.2.6	0x6b96	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.192917109 CEST	1.1.1.1	192.168.2.6	0x4655	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.206336975 CEST	1.1.1.1	192.168.2.6	0x6f75	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.217844963 CEST	1.1.1.1	192.168.2.6	0x6987	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.230253935 CEST	1.1.1.1	192.168.2.6	0xc3f	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.243619919 CEST	1.1.1.1	192.168.2.6	0x36a4	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.256119967 CEST	1.1.1.1	192.168.2.6	0x8537	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:13:16.269241095 CEST	1.1.1.1	192.168.2.6	0xe8b5	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49740	104.102.49.254	443	3040	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 17:13:17 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-07 17:13:17 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 07 Oct 2024 17:13:17 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=4cd710fa763484e6220656b9; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-07 17:13:17 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-07 17:13:17 UTC	10975	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa

Target ID:	1
Start time:	13:13:12
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x20000
File size:	1'896'960 bytes
MD5 hash:	7F16DE1753BDF759E86F0065AE087993
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	62.7%
Total number of Nodes:	51
Total number of Limit Nodes:	5

Executed Functions

Function 000650FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00065182

Strings

<I$), xrefs: 000652E3
<I$), xrefs: 00065198
@^, xrefs: 00065120

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: da93a1cb1457413ee81a6f306c6838f6eaa2d8ec092a8723b2cc9d1160af0eaf
Instruction ID: c7d3f7b5a525cf252cd02933a46be045c0e9b4bb79bf21ef911e33a8fc8a913d
Opcode Fuzzy Hash: da93a1cb1457413ee81a6f306c6838f6eaa2d8ec092a8723b2cc9d1160af0eaf
Instruction Fuzzy Hash: 9021D1355083848FE300DF68D88176AB7F5AB5A301F69482CE1C9E7352D739DA55CB46

Function 0002FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 0002FCBE
V, xrefs: 0002FEDC
VY^_, xrefs: 0002FDFF
J|BJ, xrefs: 0003000D

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 5f8dc1d222c602ea6bcb39d80c08843112f9797e9d342a2f6690f973cd21a045
Instruction ID: 68cee6f034233fd896209647f97e36b9c5316f81edcbeca1e5a51a2d367b8e46
Opcode Fuzzy Hash: 5f8dc1d222c602ea6bcb39d80c08843112f9797e9d342a2f6690f973cd21a045
Instruction Fuzzy Hash: 28D1987450D3919BD352DF1495A466FBBF5AF92B84F18882CF4C98B222C336CD09DB92

Function 0002D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0002D2F1

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d76b4bf253dedf9f0548a7b899d142eb1420829fba81787eb56753cb88d25418
Instruction ID: 1d5c3bc6e5238f1c5fec7436b1baa9925aa09266c16ba344249848d65d7edb66
Opcode Fuzzy Hash: d76b4bf253dedf9f0548a7b899d142eb1420829fba81787eb56753cb88d25418
Instruction Fuzzy Hash: 1A41567040D390ABD301BB68E594A2EFBF5AF62705F148C1DE9C497212C336EC149B67

Function 00065700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00065784

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8fed26e2d9b62670912e67077bd409b3d19573c189e8c60e3dfc2e50f836d4cd
Instruction ID: 778e632e47fa4dbaa682e7cbb64b04594c5a7ab122aa004a71a6857a54644abb
Opcode Fuzzy Hash: 8fed26e2d9b62670912e67077bd409b3d19573c189e8c60e3dfc2e50f836d4cd
Instruction Fuzzy Hash: 4411A07191C280EBD301AF28EC44A1FBBF6AF86711F058828E4C89B212D339D950DB93

Function 00065BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0006973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00065BDE

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0006695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 000669C5

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 453769e77d8b345a1a395b5c69cc7a34dd0e3fdddbce39c9c9dc46414fecf2ae
Instruction ID: f3d9cec0ce7ecc4c060bec259530162dc6b9f0d9a33900efe73fd617562a4678
Opcode Fuzzy Hash: 453769e77d8b345a1a395b5c69cc7a34dd0e3fdddbce39c9c9dc46414fecf2ae
Instruction Fuzzy Hash: 8D31CBB09183018FE758DF14D8A072BB7F2FF85344F08881CE5CAA7261E37A9944CB56

Function 0003049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4372ad4be4669c1155caf2c67dfd3b15f26f0ba3fe8b4135e8bbd682561e0e0
Instruction ID: b58f15e6ed3dde77ad52984480cd0aafe46ac0238a8282a2dbedb7661af2c6ed
Opcode Fuzzy Hash: f4372ad4be4669c1155caf2c67dfd3b15f26f0ba3fe8b4135e8bbd682561e0e0
Instruction Fuzzy Hash: 7691AD75600B01CFE324CF24E894A27B7F6FF89310F118A6CE8568BAA2D774E815CB50

Function 00030228 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb831b8ef6e842895ad75323cdbf6a4aea68e643d7a93ca84e23572c7fc2772
Instruction ID: 27bdddf28a484c33babb4f774aa137c53e950c7bf87a6298b2b60dbe1eae643c
Opcode Fuzzy Hash: aeb831b8ef6e842895ad75323cdbf6a4aea68e643d7a93ca84e23572c7fc2772
Instruction Fuzzy Hash: F7717974205701DFE7258F20E894B27B7FAFF49315F108968E8568BA62C779E815CB50

Function 000699D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e97308aaf5f29a494f730fb547dab9ba32f14166147ece07ad3ad436a5c002
Instruction ID: aa83e45b6b1bb6a9bd401d3208cf4abe98952a2cf9bc6921648ff70138fe01bf
Opcode Fuzzy Hash: 65e97308aaf5f29a494f730fb547dab9ba32f14166147ece07ad3ad436a5c002
Instruction Fuzzy Hash: FF41DE34608300ABEB54DF55ED90B2FB7FAEB85715F14982CF58A97641D335E800CBA2

Function 000663B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7fde785de8962a1bda95466ebe6af039b6836aa36c839fa05dbb3332614dc72
Instruction ID: 5cf1fa9c1e07421685c207d532b95d527bfd507d88835b24631ec8a5b2dce0fa
Opcode Fuzzy Hash: f7fde785de8962a1bda95466ebe6af039b6836aa36c839fa05dbb3332614dc72
Instruction Fuzzy Hash: 1331E670A49301BBE624DB04DD82F3AB7E7FB81B11F64450CF185672D1D775A851CB52

Function 00063220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 000632A6

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 83753ca7b2f26c4df223ed5fdb6ba9effbcf1f3b156859af9e906304e5a4dfae
Instruction ID: c36bc29dc5e2f584072e66410d7d7bbe0d1b87c8ca75468ea9f8d345ea6ef0bf
Opcode Fuzzy Hash: 83753ca7b2f26c4df223ed5fdb6ba9effbcf1f3b156859af9e906304e5a4dfae
Instruction Fuzzy Hash: 5401AD3090D2409BD300EF18E895A1ABBF9EF4A700F05481CE4C89B321D339DD60DB92

Function 00063202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00063208

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8823ae95a6912107c46a8d72d4eb562e42501f6d41e2428482bbc03f9d74c88b
Instruction ID: 36a4a1754c322bec2258442c8ee854be6ab3adef46b5a73dc4c92ea9efddf235
Opcode Fuzzy Hash: 8823ae95a6912107c46a8d72d4eb562e42501f6d41e2428482bbc03f9d74c88b
Instruction Fuzzy Hash: BDB012304400005FEA081B00EC0AF003520EF00605F800050A104140B1E16958A4D554

Function 0008495C Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00084C8C

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a0d7ac810faf91d2ca61a7c3384e636dafa04c49de5187600a55847effa638a8
Instruction ID: f9eb7e9f43d9066594de2a3c5b8c2ee8304974b3f67914c4ccb71592b11d1454
Opcode Fuzzy Hash: a0d7ac810faf91d2ca61a7c3384e636dafa04c49de5187600a55847effa638a8
Instruction Fuzzy Hash: 3601A7B250C600AFE3582E18D9555BDBBD8EF50720F16042EE5C692650E6714C408786

Function 000849BA Relevance: 1.3, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00084C8C

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c36bb3c15f490c68c6fb7e6517f7e63de66df8cf948b608e380a0881e158fb2d
Instruction ID: cf157676dcaed10bacd05d4ea1aa78881031c0894e135f43d748856d4f22ab32
Opcode Fuzzy Hash: c36bb3c15f490c68c6fb7e6517f7e63de66df8cf948b608e380a0881e158fb2d
Instruction Fuzzy Hash: 4DF0F4B250C610AFE3583E28D8615BDBBE8EF50720F23002EE9C392A50EA324C00C786

Function 000848EB Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00084D7A

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 44af1b7e7b57908867d6fd8de539ba3fc04d3526c6bffb69abb13215ec414ab7
Instruction ID: 1ef48a1e6b1d73d7d4a43d8c4c0aa9ec2e1dfdfb2b4c8b67b76e7125b0d2c8f0
Opcode Fuzzy Hash: 44af1b7e7b57908867d6fd8de539ba3fc04d3526c6bffb69abb13215ec414ab7
Instruction Fuzzy Hash: B6F0A07510C20AAFE7605F79884966F7BE9FF54331F104619F9A9D2A90D2318C40D746

Function 00084C77 Relevance: 1.3, APIs: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00084C8C

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c069e0b72f558038ff10d7aa4e4880edcc8fff2b1ffad3045b68cbfff7fefb5f
Instruction ID: 47ed759abc5b851ed76a236174274800ea7b2c6cfc50dad33111939a27f775f4
Opcode Fuzzy Hash: c069e0b72f558038ff10d7aa4e4880edcc8fff2b1ffad3045b68cbfff7fefb5f
Instruction Fuzzy Hash: 1DE0C9B280C624AFE7116F54A4846BDBFE4EF15750F12086EE9C492650D6354C50CB86

Function 00084D63 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00084D7A

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 29672170c12234199f5ab4625c22e8b4697b67fd003f87bdae811604190c75dd
Instruction ID: ea84091fba86df6dc7376f9e4eabcb7c916a381176d5cb8491930ff49a90ff51
Opcode Fuzzy Hash: 29672170c12234199f5ab4625c22e8b4697b67fd003f87bdae811604190c75dd
Instruction Fuzzy Hash: 61D012740041098BE7102F74C40929E7BA0FF01321F104514E9A192690D7318C54DB46

Non-executed Functions

Function 000523E0 Relevance: 33.0, APIs: 4, Strings: 13, Instructions: 3298COMMON

Download Yara Rule

Strings

:, xrefs: 000532DD
fedc, xrefs: 00052782
3<, xrefs: 000532D6
mlc@, xrefs: 0005275C
|}&C, xrefs: 00052F21
ggxz, xrefs: 00052685
Cx, xrefs: 0005453D
{l`~, xrefs: 0005268C
%*+(, xrefs: 000540EF
f@~!, xrefs: 000525FF
#v, xrefs: 0005344B, 00054861
`tii, xrefs: 00052693
aenQ, xrefs: 0005276A

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C$#v
API String ID: 0-2260822535
Opcode ID: 5aff7ce951e01f6e4a09574122dcccf999414e41651640cab0a24e4c7f90b5d4
Instruction ID: 33d3da3be46684507a1546acea9ce69f1fc243ea7cf274c85355bbc278c2c827
Opcode Fuzzy Hash: 5aff7ce951e01f6e4a09574122dcccf999414e41651640cab0a24e4c7f90b5d4
Instruction Fuzzy Hash: 4B33CD70504B818FE7658F38C590763BBE1BF16305F58899DE8DA8B792C735E80ACB61

Function 0003DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

|, xrefs: 0003ECB1
@ONM, xrefs: 0003E6DB
dcba, xrefs: 0003E728
<=2, xrefs: 0003EA01
`onm, xrefs: 0003E733
()./, xrefs: 0003E9CA
AR, xrefs: 0003DD10
LKJI, xrefs: 0003E6E6
tsrq, xrefs: 0003E6FC
QNOL, xrefs: 0003E775
%*+(, xrefs: 0003DE37, 0003DE46
lkji, xrefs: 0003E73E
89&', xrefs: 0003E93B
xgfe, xrefs: 0003E71D
`Y^_, xrefs: 0003E99E
DCBA, xrefs: 0003E887, 0003E896
<=:;, xrefs: 0003E930
WP, xrefs: 0003DCEF
mjkh, xrefs: 0003E7D8
D, xrefs: 0003E846
89>?, xrefs: 0003E9F6
tuJK, xrefs: 0003E967
T, xrefs: 0003F157
:WUE, xrefs: 0003F6B7, 0003F6C6

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 66ed5b4e303c85105acfe54d57f5482cb1cdf3e8e44c0feac125a2238ceb2cb9
Instruction ID: 56688606fa136d2b2ee3f08372c8d37f96d64fada235f5b24df5b11c8d967d07
Opcode Fuzzy Hash: 66ed5b4e303c85105acfe54d57f5482cb1cdf3e8e44c0feac125a2238ceb2cb9
Instruction Fuzzy Hash: 07F27AB05083829BD7B1CF14D884BAFBBE6BFD5304F14492DE4C98B292D7759984CB92

Function 00049F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

kW, xrefs: 0004A380
(a*c, xrefs: 0004A147
CG, xrefs: 0004AA32
WQ, xrefs: 0004A62B
_Y, xrefs: 0004A641
=], xrefs: 0004A36A
?m,o, xrefs: 0004A13C
WH, xrefs: 0004AA1C
/), xrefs: 0004A66D
N[, xrefs: 0004A375
Gt, xrefs: 00049FF8
S], xrefs: 0004A636
sm, xrefs: 0004A830
%e6g, xrefs: 0004A152
]{, xrefs: 0004A1E7, 0004A1F3
JG, xrefs: 0004AA27
hi, xrefs: 0004AB9D

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 14e01c7b12e4542a04050a276ad8d58403a559bb56537bbda960d823936a9c91
Instruction ID: 6f7f087d8c8797b6a97bdd868e89c8b91953e7e5fbf92d622c383661bde50603
Opcode Fuzzy Hash: 14e01c7b12e4542a04050a276ad8d58403a559bb56537bbda960d823936a9c91
Instruction Fuzzy Hash: 1652D7B414D385CAE270CF25D581B8EBAF1BB92740F608A2DE1ED9B255DBB08045CF97

Function 00049510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

?M0K, xrefs: 00049968
T#a-, xrefs: 00049AE3
O+f), xrefs: 00049634, 0004963D
X/R), xrefs: 00049AEB
!E4G, xrefs: 00049836
L3Y=, xrefs: 00049B03
pq, xrefs: 000499E0
G+X5, xrefs: 00049AF3
;IJK, xrefs: 0004983E
B?Q9, xrefs: 00049B0B
,A&C, xrefs: 0004982E
2A"_, xrefs: 00049980
8;, xrefs: 00049B13
z=Q?, xrefs: 00049826
G'M!, xrefs: 00049ADB
B7U1, xrefs: 00049AFB

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 3f03b2c0ba20095a16fe578d5dfe9497eb250e2bf0798034be9f645e606656ce
Instruction ID: 4fdbd1dd4639551bc58b82fb020603f40308be7f56a2674c57807df08b34dd3e
Opcode Fuzzy Hash: 3f03b2c0ba20095a16fe578d5dfe9497eb250e2bf0798034be9f645e606656ce
Instruction Fuzzy Hash: 80F130B4508380ABD310DF55D881A2BBBF4FB86B48F144D2CF5D99B252D374D948CB9A

Function 0004DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

Y9N;, xrefs: 0004E245
hX]N, xrefs: 0004DDC7
-M2O, xrefs: 0004E25A
{E, xrefs: 0004E323
=]+_, xrefs: 0004E276
upH}, xrefs: 0004DE8A, 0004E798, 0004DF4A
)IgK, xrefs: 0004E261
<Y.[, xrefs: 0004E27D
%*+(, xrefs: 0004E143
,Q?S, xrefs: 0004E26F
n\+H, xrefs: 0004DDC0

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: f7f3e1b30f13c8b3c3f601267b2fd5d0476bc253a7c3a396e04480faa3cf0408
Instruction ID: 51d0fb75f9d4bacf3cf53990b0042ee5d5984f334e6bc2658d7d9dd045c9f5b2
Opcode Fuzzy Hash: f7f3e1b30f13c8b3c3f601267b2fd5d0476bc253a7c3a396e04480faa3cf0408
Instruction Fuzzy Hash: DA9214B1E00245CFDB18CF68D8516AEBBF2FF49310F298168E455AB392D739AD41CB91

Function 001F6172 Relevance: 14.1, Strings: 10, Instructions: 1597COMMON

Download Yara Rule

Strings

x, xrefs: 001F6723
,$J&, xrefs: 001F6DA2
X'_m, xrefs: 001F709A
a>[], xrefs: 001F6D31
d6w, xrefs: 001F6F84
\]", xrefs: 001F6F73
O[5}, xrefs: 001F6F03
Q-M, xrefs: 001F65C4
h+J\, xrefs: 001F7433
z6U, xrefs: 001F62AA

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: ,$J&$O[5}$Q-M$X'_m$\]"$a>[]$h+J\$z6U$d6w$x
API String ID: 0-4279872102
Opcode ID: 6283e7935f279b4ebb4cc9d2196c84d8832511385e8f2ade05f6d4dcafbd7c07
Instruction ID: 1975d0812acee258743d281c77eacb71ad19596b5ea9e306ef736368707fef38
Opcode Fuzzy Hash: 6283e7935f279b4ebb4cc9d2196c84d8832511385e8f2ade05f6d4dcafbd7c07
Instruction Fuzzy Hash: 38B216F360C204AFE7046E2DEC8567AFBE9EF94720F16493DEAC483744EA3558058697

Function 001F6172 Relevance: 12.8, Strings: 9, Instructions: 1597COMMON

Download Yara Rule

Strings

d6w, xrefs: 001F6F84
O[5}, xrefs: 001F6F03
h+J\, xrefs: 001F7433
,$J&, xrefs: 001F6DA2
a>[], xrefs: 001F6D31
z6U, xrefs: 001F62AA
X'_m, xrefs: 001F709A
Q-M, xrefs: 001F65C4
x, xrefs: 001F6723

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: ,$J&$O[5}$Q-M$X'_m$a>[]$h+J\$z6U$d6w$x
API String ID: 0-2355472187
Opcode ID: 6283e7935f279b4ebb4cc9d2196c84d8832511385e8f2ade05f6d4dcafbd7c07
Instruction ID: 1975d0812acee258743d281c77eacb71ad19596b5ea9e306ef736368707fef38
Opcode Fuzzy Hash: 6283e7935f279b4ebb4cc9d2196c84d8832511385e8f2ade05f6d4dcafbd7c07
Instruction Fuzzy Hash: 38B216F360C204AFE7046E2DEC8567AFBE9EF94720F16493DEAC483744EA3558058697

Function 001F7B8C Relevance: 11.6, Strings: 8, Instructions: 1627COMMON

Download Yara Rule

Strings

6y__, xrefs: 001F7DCD
/= G, xrefs: 001F8145
%y;, xrefs: 001F8658
[-gw, xrefs: 001F8951
PjN?, xrefs: 001F86E8
Y[nw, xrefs: 001F7F9D
W[u}, xrefs: 001F8CB6
ZG)n, xrefs: 001F8B5D

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: /= G$6y__$PjN?$W[u}$Y[nw$ZG)n$[-gw$%y;
API String ID: 0-942775717
Opcode ID: 1bd175da6e1edcc5434c2f70c9361b33b496e253d9d1fce5e7959c7c7561b3d6
Instruction ID: e3cb72e202d1135a3e723737a71049f2dd18dd4eaf8ad2bae8a2e13410aa97a5
Opcode Fuzzy Hash: 1bd175da6e1edcc5434c2f70c9361b33b496e253d9d1fce5e7959c7c7561b3d6
Instruction Fuzzy Hash: B5B2E7F360C2109FE3046E2DEC85A7AB7E9EF94720F1A453DE6C4C3744EA7598058697

Function 001F7B8C Relevance: 11.6, Strings: 8, Instructions: 1627COMMON

Download Yara Rule

Strings

W[u}, xrefs: 001F8CB6
6y__, xrefs: 001F7DCD
/= G, xrefs: 001F8145
ZG)n, xrefs: 001F8B5D
PjN?, xrefs: 001F86E8
%y;, xrefs: 001F8658
Y[nw, xrefs: 001F7F9D
[-gw, xrefs: 001F8951

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: /= G$6y__$PjN?$W[u}$Y[nw$ZG)n$[-gw$%y;
API String ID: 0-942775717
Opcode ID: 1bd175da6e1edcc5434c2f70c9361b33b496e253d9d1fce5e7959c7c7561b3d6
Instruction ID: e3cb72e202d1135a3e723737a71049f2dd18dd4eaf8ad2bae8a2e13410aa97a5
Opcode Fuzzy Hash: 1bd175da6e1edcc5434c2f70c9361b33b496e253d9d1fce5e7959c7c7561b3d6
Instruction Fuzzy Hash: B5B2E7F360C2109FE3046E2DEC85A7AB7E9EF94720F1A453DE6C4C3744EA7598058697

Function 0004098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

cah`, xrefs: 0004107E
&> &, xrefs: 00040F89
9.5^, xrefs: 00040F9F
{, xrefs: 00041502
,#15, xrefs: 00040F94
%*+(, xrefs: 00040A77, 00040A86
gce/, xrefs: 00041073
qrqp, xrefs: 00041089

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 724c74d2e67f9efe8ff54fda1682d53843ac145760014eae25665c2f382e1a4b
Instruction ID: d299e9b9814864559fb255bdfd325c007a7d3a7439c401052f2a4e3941625dac
Opcode Fuzzy Hash: 724c74d2e67f9efe8ff54fda1682d53843ac145760014eae25665c2f382e1a4b
Instruction Fuzzy Hash: AB6299B1608381CBD730CF14D891BABB7E1FF96314F08492DE49A9B642E3759984CB97

Function 00021000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

gfff, xrefs: 000222E1
gfff, xrefs: 00022297
@, xrefs: 00022C40
gfff, xrefs: 00022226
0123456789abcdefxp, xrefs: 00021587, 000215F8
-, xrefs: 000221ED
0123456789ABCDEFXP, xrefs: 0002157D, 000215EB

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: ec49e5966a1c20ea804ef409fbc96ff619bd935a1deaee0c08eb21cef31e9cc0
Instruction ID: 7081a58a9ef38e85c88359b99ecbaab3eaeb8818970ed75ebdcce2987298b541
Opcode Fuzzy Hash: ec49e5966a1c20ea804ef409fbc96ff619bd935a1deaee0c08eb21cef31e9cc0
Instruction Fuzzy Hash: 66D225316083619FD718CE28D49436EBBE2AFD9314F188A2DE499CB391D778DD45CB82

Function 001F964C Relevance: 9.1, Strings: 6, Instructions: 1642COMMON

Download Yara Rule

Strings

E ~, xrefs: 001FA12C
Ugww, xrefs: 001FA10A
z^?, xrefs: 001F98C7
l]~?, xrefs: 001FA255
Qnl, xrefs: 001F9A20
m]~?, xrefs: 001FA3D2

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: E ~$Qnl$Ugww$l]~?$m]~?$z^?
API String ID: 0-1517387116
Opcode ID: e1f08da504b3c05ee30d9817a848b6e633aea99529ae541ebacd5c5e9420fa82
Instruction ID: da25a831fe84691102d3fc7418b10f7536f3676552b012707ecefd124eaae6fd
Opcode Fuzzy Hash: e1f08da504b3c05ee30d9817a848b6e633aea99529ae541ebacd5c5e9420fa82
Instruction Fuzzy Hash: BCB227F36082049FE704AE2DEC8567ABBE9EF94320F1A493DE6C5C7744EA3558418787

Function 001F964C Relevance: 9.1, Strings: 6, Instructions: 1642COMMON

Download Yara Rule

Strings

E ~, xrefs: 001FA12C
Ugww, xrefs: 001FA10A
Qnl, xrefs: 001F9A20
l]~?, xrefs: 001FA255
m]~?, xrefs: 001FA3D2
z^?, xrefs: 001F98C7

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: E ~$Qnl$Ugww$l]~?$m]~?$z^?
API String ID: 0-1517387116
Opcode ID: e1f08da504b3c05ee30d9817a848b6e633aea99529ae541ebacd5c5e9420fa82
Instruction ID: da25a831fe84691102d3fc7418b10f7536f3676552b012707ecefd124eaae6fd
Opcode Fuzzy Hash: e1f08da504b3c05ee30d9817a848b6e633aea99529ae541ebacd5c5e9420fa82
Instruction Fuzzy Hash: BCB227F36082049FE704AE2DEC8567ABBE9EF94320F1A493DE6C5C7744EA3558418787

Function 001F47F5 Relevance: 9.1, Strings: 6, Instructions: 1555COMMON

Download Yara Rule

Strings

2?e, xrefs: 001F5174
~v, xrefs: 001F56DF
R%G, xrefs: 001F5494
Eg, xrefs: 001F58C1
u,+W, xrefs: 001F4FCF
HW", xrefs: 001F558F

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: u,+W$2?e$Eg$HW"$R%G$~v
API String ID: 0-3891433
Opcode ID: 363c37b8ed8a17b94c9420fc5dc5e056622432645412f63ccc1bfca79edb67fb
Instruction ID: 4e95a97059d84b0b2595702f3f5dcd4e4b1950a3a0d51e2c15952a29d46ef3a7
Opcode Fuzzy Hash: 363c37b8ed8a17b94c9420fc5dc5e056622432645412f63ccc1bfca79edb67fb
Instruction Fuzzy Hash: 52B2E2F360C6009FE304AE29EC8567ABBE9EFD4720F16893DE6C4C3344EA3558558697

Function 001F47F5 Relevance: 9.1, Strings: 6, Instructions: 1555COMMON

Download Yara Rule

Strings

u,+W, xrefs: 001F4FCF
~v, xrefs: 001F56DF
R%G, xrefs: 001F5494
HW", xrefs: 001F558F
Eg, xrefs: 001F58C1
2?e, xrefs: 001F5174

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: u,+W$2?e$Eg$HW"$R%G$~v
API String ID: 0-3891433
Opcode ID: 363c37b8ed8a17b94c9420fc5dc5e056622432645412f63ccc1bfca79edb67fb
Instruction ID: 4e95a97059d84b0b2595702f3f5dcd4e4b1950a3a0d51e2c15952a29d46ef3a7
Opcode Fuzzy Hash: 363c37b8ed8a17b94c9420fc5dc5e056622432645412f63ccc1bfca79edb67fb
Instruction Fuzzy Hash: 52B2E2F360C6009FE304AE29EC8567ABBE9EFD4720F16893DE6C4C3344EA3558558697

Function 001EF5E8 Relevance: 7.8, Strings: 5, Instructions: 1533COMMON

Download Yara Rule

Strings

/j_w, xrefs: 001EFB2E
j({Y, xrefs: 001EFA79
', xrefs: 001F06EC
/w, xrefs: 001EFBC7
gB<O, xrefs: 001F0425

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: /j_w$/w$gB<O$j({Y$'
API String ID: 0-2712264786
Opcode ID: e8c5c706be3944239a67703606612c2f1b20df8038316b9929830e884b2623c3
Instruction ID: 95140450e26ecb9cfcabccfafce5a35921e9d44be7a85ec5116cf0920548809b
Opcode Fuzzy Hash: e8c5c706be3944239a67703606612c2f1b20df8038316b9929830e884b2623c3
Instruction Fuzzy Hash: DBA25BF3A082049FE3046E2DEC8566AB7E9EFD4320F1A863DEAC4C7744E97558058696

Function 001EF5E8 Relevance: 7.8, Strings: 5, Instructions: 1533COMMON

Download Yara Rule

Strings

gB<O, xrefs: 001F0425
j({Y, xrefs: 001EFA79
/j_w, xrefs: 001EFB2E
', xrefs: 001F06EC
/w, xrefs: 001EFBC7

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: /j_w$/w$gB<O$j({Y$'
API String ID: 0-2712264786
Opcode ID: e8c5c706be3944239a67703606612c2f1b20df8038316b9929830e884b2623c3
Instruction ID: 95140450e26ecb9cfcabccfafce5a35921e9d44be7a85ec5116cf0920548809b
Opcode Fuzzy Hash: e8c5c706be3944239a67703606612c2f1b20df8038316b9929830e884b2623c3
Instruction Fuzzy Hash: DBA25BF3A082049FE3046E2DEC8566AB7E9EFD4320F1A863DEAC4C7744E97558058696

Function 000212F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

i, xrefs: 000228EA
0, xrefs: 00021DC1
0, xrefs: 00021E88
@, xrefs: 00023531
0, xrefs: 0002243E

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 4b42bb470f15a6b2c9338eaaf07f70e2388f0b22e1a72d685d5568b7bd693d61
Instruction ID: 202cc8a990e1dfec15834262fe0615b4ef4d00ea6dc1c107b7da74ed5d2415df
Opcode Fuzzy Hash: 4b42bb470f15a6b2c9338eaaf07f70e2388f0b22e1a72d685d5568b7bd693d61
Instruction Fuzzy Hash: C662007160C3A19FD319CF28D49436EBBE1AFD5308F188A2DE8D987291D774D949CB82

Function 0002164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

+, xrefs: 00021573
gfff, xrefs: 00021F3C
0123456789abcdefxp, xrefs: 00021659
gfff, xrefs: 00021F57
0123456789ABCDEFXP, xrefs: 0002164F

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: b97e5c6546b238691cf25a656ebe120b93b21da686a3a86faa3d1d55a0421d20
Instruction ID: 67fb6b2d709e8c1f9df13fc6f172169b9a307bf04cce2d4c475d6b040b149948
Opcode Fuzzy Hash: b97e5c6546b238691cf25a656ebe120b93b21da686a3a86faa3d1d55a0421d20
Instruction Fuzzy Hash: CCF1AE3160C3A19FC715CE68D4843AEFBE2ABD9304F188A6DE4D987352D734D949CB92

Function 001FB0F4 Relevance: 6.7, Strings: 4, Instructions: 1652COMMON

Download Yara Rule

Strings

GUU1, xrefs: 001FBAA5
m}, xrefs: 001FBF7F
:OU=, xrefs: 001FB2E1
m}, xrefs: 001FBF7A

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: :OU=$GUU1$m}$m}
API String ID: 0-2918312137
Opcode ID: a78450c14a2fb718144b18afee93d3af4f1453abb540cfd9ded7d21582fd104d
Instruction ID: dfa9ab1f5427704a87688dad98733e995424530576eb1c6cfd1b9ca3d32ff6f8
Opcode Fuzzy Hash: a78450c14a2fb718144b18afee93d3af4f1453abb540cfd9ded7d21582fd104d
Instruction Fuzzy Hash: 8BB2F8F360C2009FE314AE2DEC8567ABBE9EFD4720F1A493DE6C4C7744E93558058696

Function 001FB0F4 Relevance: 6.7, Strings: 4, Instructions: 1652COMMON

Download Yara Rule

Strings

m}, xrefs: 001FBF7A
:OU=, xrefs: 001FB2E1
m}, xrefs: 001FBF7F
GUU1, xrefs: 001FBAA5

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: :OU=$GUU1$m}$m}
API String ID: 0-2918312137
Opcode ID: a78450c14a2fb718144b18afee93d3af4f1453abb540cfd9ded7d21582fd104d
Instruction ID: dfa9ab1f5427704a87688dad98733e995424530576eb1c6cfd1b9ca3d32ff6f8
Opcode Fuzzy Hash: a78450c14a2fb718144b18afee93d3af4f1453abb540cfd9ded7d21582fd104d
Instruction Fuzzy Hash: 8BB2F8F360C2009FE314AE2DEC8567ABBE9EFD4720F1A493DE6C4C7744E93558058696

Function 000213A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

-, xrefs: 00021F23
gfff, xrefs: 00021F3C
0123456789abcdefxp, xrefs: 000213AD
gfff, xrefs: 00021F57
0123456789ABCDEFXP, xrefs: 000213A3

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 8eb6b2d529e2dcd52da7495826faefffe73a208c7231ce4e971b48b6e0a79caf
Instruction ID: 0f62e84e2e340621b32c6122e6a8f0bab693a919fce69995808a18164a8da34f
Opcode Fuzzy Hash: 8eb6b2d529e2dcd52da7495826faefffe73a208c7231ce4e971b48b6e0a79caf
Instruction Fuzzy Hash: D2D1BF3160C7919FC719CE29D4842AAFBE2AFD9304F08CA6DE4D987352D734D949CB92

Function 001F2CDA Relevance: 6.6, Strings: 4, Instructions: 1615COMMON

Download Yara Rule

Strings

NsK, xrefs: 001F3544
5Mo, xrefs: 001F384D
Bb3t, xrefs: 001F36C7
}sO, xrefs: 001F35B5

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: 5Mo$Bb3t$NsK$}sO
API String ID: 0-328608852
Opcode ID: c0f8ccda44fefe2546d5f1506c8841a00a25e3ee50d2ec631647061651e8af34
Instruction ID: 040e259658f5b63e345b2894b146d91a99d69fca24648e71dc49c943e5b3ed54
Opcode Fuzzy Hash: c0f8ccda44fefe2546d5f1506c8841a00a25e3ee50d2ec631647061651e8af34
Instruction Fuzzy Hash: EFB239F390C214AFE3046E29EC4567ABBE9EF94720F1A493DEAC4D3744EA3558018797

Function 001F2CDA Relevance: 6.6, Strings: 4, Instructions: 1615COMMON

Download Yara Rule

Strings

Bb3t, xrefs: 001F36C7
NsK, xrefs: 001F3544
}sO, xrefs: 001F35B5
5Mo, xrefs: 001F384D

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: 5Mo$Bb3t$NsK$}sO
API String ID: 0-328608852
Opcode ID: c0f8ccda44fefe2546d5f1506c8841a00a25e3ee50d2ec631647061651e8af34
Instruction ID: 040e259658f5b63e345b2894b146d91a99d69fca24648e71dc49c943e5b3ed54
Opcode Fuzzy Hash: c0f8ccda44fefe2546d5f1506c8841a00a25e3ee50d2ec631647061651e8af34
Instruction Fuzzy Hash: EFB239F390C214AFE3046E29EC4567ABBE9EF94720F1A493DEAC4D3744EA3558018797

Function 0004FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 0004FE95
:, xrefs: 00050087
NA_I, xrefs: 0005036D
m1s3, xrefs: 0004FEC3, 0004FECB

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: c6e07f6d1b40af3f5d0dbb6c47378ade0434714e62293059fd1d8236bb1a81ca
Instruction ID: 2abee0027e9ca1e3a63fd002b9b41dbd2a60d1427ffbfb8835143bc439075e64
Opcode Fuzzy Hash: c6e07f6d1b40af3f5d0dbb6c47378ade0434714e62293059fd1d8236bb1a81ca
Instruction Fuzzy Hash: 8D32AAB0908381DFE310DF28D881A6FBBE5AB89345F14492CF9D59B292D339D949CF52

Function 001F1106 Relevance: 5.4, Strings: 3, Instructions: 1686COMMON

Download Yara Rule

Strings

_Egn, xrefs: 001F138D
3Eit .\Z, xrefs: 001F1106, 001F1127, 001F1128, 001F11AC, 001F11FA
n~w, xrefs: 001F12BB

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: 3Eit .\Z$_Egn$n~w
API String ID: 0-2288617932
Opcode ID: a1bd9f24f3a11a8a29d5682398c42934fb0dc364efb557465c6bbc8d34fe8498
Instruction ID: bb9844e0f7b90a9544d5291e4577b91e9e28e2ba5d1f640e93b8aab3de533e50
Opcode Fuzzy Hash: a1bd9f24f3a11a8a29d5682398c42934fb0dc364efb557465c6bbc8d34fe8498
Instruction Fuzzy Hash: 00B2F8F3A0C204AFE3146E2DEC8567ABBE9EFD4320F1A453DE6C4D7744EA3558018696

Function 001F1106 Relevance: 5.4, Strings: 3, Instructions: 1686COMMON

Download Yara Rule

Strings

n~w, xrefs: 001F12BB
_Egn, xrefs: 001F138D
3Eit .\Z, xrefs: 001F1106, 001F1127, 001F1128, 001F11AC, 001F11FA

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: 3Eit .\Z$_Egn$n~w
API String ID: 0-2288617932
Opcode ID: a1bd9f24f3a11a8a29d5682398c42934fb0dc364efb557465c6bbc8d34fe8498
Instruction ID: bb9844e0f7b90a9544d5291e4577b91e9e28e2ba5d1f640e93b8aab3de533e50
Opcode Fuzzy Hash: a1bd9f24f3a11a8a29d5682398c42934fb0dc364efb557465c6bbc8d34fe8498
Instruction Fuzzy Hash: 00B2F8F3A0C204AFE3146E2DEC8567ABBE9EFD4320F1A453DE6C4D7744EA3558018696

Function 00033BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

;z, xrefs: 00033C87
ss, xrefs: 00033C79
%*+(, xrefs: 00033EC4
p, xrefs: 00033C80

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 0fca97a38215362a98fa1e4bb64f8f5e5fbf2182a546c235a19852952ef0ff09
Instruction ID: 2d2c74f4f6d4526e3552e79475831f7d3af90a4fd9d7c45478e13fcd4cc9e8d6
Opcode Fuzzy Hash: 0fca97a38215362a98fa1e4bb64f8f5e5fbf2182a546c235a19852952ef0ff09
Instruction Fuzzy Hash: B4025AB4810B00DFD760DF28D986756BFF5FF01301F50895DE89A9B696E374A818CBA2

Function 00042260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

a|, xrefs: 00042317
sj, xrefs: 00042327
hu, xrefs: 0004232F
lc, xrefs: 00042507

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 5e4ae9e661995d98c9b970114ffd06cce483796ecd7f861783e497a4492f0686
Instruction ID: 8ada117de09c85f3d5b68caed113b9e19fc167270f57dad9d1e1ecab4f6de1c5
Opcode Fuzzy Hash: 5e4ae9e661995d98c9b970114ffd06cce483796ecd7f861783e497a4492f0686
Instruction Fuzzy Hash: 17A19CB05083418BC720DF18C891A2BB7F0FF95754F948A1CF8D99B291E339D941CBAA

Function 001FE717 Relevance: 5.3, Strings: 3, Instructions: 1569COMMON

Download Yara Rule

Strings

3`of, xrefs: 001FEA95
vu~, xrefs: 001FF84C
O, xrefs: 001FF438

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: vu~$3`of$O
API String ID: 0-3800194811
Opcode ID: e8447032707dc515aea3c0e9ced3b898d0d74bf97cace6b4fc88d562aaf79dbf
Instruction ID: cd90a300e5d8a793e644dba7316be80e9559ac5a5dc4b20a282e3fedef8b168b
Opcode Fuzzy Hash: e8447032707dc515aea3c0e9ced3b898d0d74bf97cace6b4fc88d562aaf79dbf
Instruction Fuzzy Hash: 15B2D4F360C2049FE304AE29EC8567AF7E9EF94720F16893DE6C4C7744EA7598018697

Function 001FE717 Relevance: 5.3, Strings: 3, Instructions: 1569COMMON

Download Yara Rule

Strings

O, xrefs: 001FF438
vu~, xrefs: 001FF84C
3`of, xrefs: 001FEA95

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: vu~$3`of$O
API String ID: 0-3800194811
Opcode ID: e8447032707dc515aea3c0e9ced3b898d0d74bf97cace6b4fc88d562aaf79dbf
Instruction ID: cd90a300e5d8a793e644dba7316be80e9559ac5a5dc4b20a282e3fedef8b168b
Opcode Fuzzy Hash: e8447032707dc515aea3c0e9ced3b898d0d74bf97cace6b4fc88d562aaf79dbf
Instruction Fuzzy Hash: 15B2D4F360C2049FE304AE29EC8567AF7E9EF94720F16893DE6C4C7744EA7598018697

Function 0004D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

KV, xrefs: 0004D97D
T>, xrefs: 0004D984
CV, xrefs: 0004D98B
#', xrefs: 0004D9EA

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 71fb1385bced89228d8bbe83a44b6a6f54911178d373ec9a8446171a9c609050
Instruction ID: 0a5fef936a953432705a9d5db2d694cff4fee7ff814d20f75ca5214833b01e54
Opcode Fuzzy Hash: 71fb1385bced89228d8bbe83a44b6a6f54911178d373ec9a8446171a9c609050
Instruction Fuzzy Hash: FC8165F48017459BCB20DF95D2851AEBFB1FF12300F20461DE886ABA55C334AA55CFE6

Function 0004AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 0004AD07, 0004AD13
lk, xrefs: 0004ACBC
4c2a, xrefs: 0004ACA9
(g6e, xrefs: 0004ACA1

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 81596a04c86ec08259c24b8417065c46f4a3ae0d7d033a262703b1cd0c6415fe
Instruction ID: b54c9284be9ee671e73df3b2ab4d4495c6289aa20ba3c9a1829d2bd77d91af6a
Opcode Fuzzy Hash: 81596a04c86ec08259c24b8417065c46f4a3ae0d7d033a262703b1cd0c6415fe
Instruction Fuzzy Hash: 6A41B8B4808381CBE7209F24D800BABB7F0FF86305F50592DE5C8A7260DB79D944CB9A

Function 0004C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0004C8C3, 0004C8CB
%*+(, xrefs: 0004C9E4, 0004C9ED
~/i!, xrefs: 0004C537

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: b960c3c3500a6a59a7793207a76dafb9022c2df3f930f4ead665cf75a6d126fd
Instruction ID: fc1620c8ffb252037453ba81a1086984282ba341c5ae3bf65d85c2e782463cf5
Opcode Fuzzy Hash: b960c3c3500a6a59a7793207a76dafb9022c2df3f930f4ead665cf75a6d126fd
Instruction Fuzzy Hash: 17E198B5909340EFE3209F28D881B9FBBF5FB85344F44882CE58997292D739D854CB92

Function 00028590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

IEND, xrefs: 000289F0
), xrefs: 0002860C
), xrefs: 00028616

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: da266a1b5b09c22a11a96b3877555010492da0f4f66f26e4fc2ec6bb13178f50
Instruction ID: 53da73fcb3edbd43377823ed8eddc083903e75795f7d30b8b43a1b1001465e77
Opcode Fuzzy Hash: da266a1b5b09c22a11a96b3877555010492da0f4f66f26e4fc2ec6bb13178f50
Instruction Fuzzy Hash: E5E1E2B5A087119FE310CF28E84576AFBE0BB94318F14892DE59597382DB75E914CBC3

Function 00064040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 000640A4, 000640AD
f, xrefs: 0006420C

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: ad53adc70427b58ded8128184055068aeb81df10306d8233426c101162fa0e4e
Instruction ID: 268ad28de905c35ceb2e595f8513d8fc8a325b41c9e63eb9c8f619f953ac19ee
Opcode Fuzzy Hash: ad53adc70427b58ded8128184055068aeb81df10306d8233426c101162fa0e4e
Instruction Fuzzy Hash: 8B12B8716083418FC715CF18D880B6EBBE2FB8A314F588A2CF8959B391D735E945CB92

Function 0005F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

hi, xrefs: 0005F6E6
dg, xrefs: 0005F7F5

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: c0b76208f178c02e3d56aa571fbfacc15f7bc2f113af487323f8c06dfd2d7500
Instruction ID: f696d0f127aa00a0cd05c4661f31b57cf24c75c280c1456382e04594e7aeac40
Opcode Fuzzy Hash: c0b76208f178c02e3d56aa571fbfacc15f7bc2f113af487323f8c06dfd2d7500
Instruction Fuzzy Hash: 62F18571618302EFE704CF24D891B6BBBE6EB85355F14992CF4899B2A1C739D845CB12

Function 000235B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00023607
NaN, xrefs: 0002360E

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: cb5cb0b4468e514624e8b68777a4242cb344f31f953747149e61fe8e240275e8
Instruction ID: 1fd7c918870c505debb2e3f4dba6353d79bd777a2bb1a6718339976e09b03e08
Opcode Fuzzy Hash: cb5cb0b4468e514624e8b68777a4242cb344f31f953747149e61fe8e240275e8
Instruction Fuzzy Hash: 5DD1E571A083219BC714CF28D88061FBBE5EBC8750F158A3DF999973A0E779DD458B82

Function 001FCBDB Relevance: 2.9, Strings: 1, Instructions: 1623COMMON

Download Yara Rule

Strings

D9&6, xrefs: 001FDF7A

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: D9&6
API String ID: 0-317511892
Opcode ID: 54c874502187a0bb953561c30bb5edb9a0254eb2f0bf43256c958e0d08f6e64f
Instruction ID: 1d0cdad4a213fec97e83f5d705ad8e999be29d9f91366ac8960266012486fc4b
Opcode Fuzzy Hash: 54c874502187a0bb953561c30bb5edb9a0254eb2f0bf43256c958e0d08f6e64f
Instruction Fuzzy Hash: DAB2E4F350C2049FE3046E29EC8567AFBE9EF94720F1A892DE6C4C3744EA3598458697

Function 001FCBDB Relevance: 2.9, Strings: 1, Instructions: 1623COMMON

Download Yara Rule

Strings

D9&6, xrefs: 001FDF7A

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: D9&6
API String ID: 0-317511892
Opcode ID: 54c874502187a0bb953561c30bb5edb9a0254eb2f0bf43256c958e0d08f6e64f
Instruction ID: 1d0cdad4a213fec97e83f5d705ad8e999be29d9f91366ac8960266012486fc4b
Opcode Fuzzy Hash: 54c874502187a0bb953561c30bb5edb9a0254eb2f0bf43256c958e0d08f6e64f
Instruction Fuzzy Hash: DAB2E4F350C2049FE3046E29EC8567AFBE9EF94720F1A892DE6C4C3744EA3598458697

Function 0008778F Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

hQ1, xrefs: 0016B170
;Cu, xrefs: 0016B0BB

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: ;Cu$hQ1
API String ID: 0-2753495210
Opcode ID: 5d88cc264ea437a72878c3b7ebc2b6e13f719c572373cbd3ccf484e491be3a16
Instruction ID: 5c67d92a51a5252b6380d0b813de2e748965649d829dbb0a767a3d1676abf1af
Opcode Fuzzy Hash: 5d88cc264ea437a72878c3b7ebc2b6e13f719c572373cbd3ccf484e491be3a16
Instruction Fuzzy Hash: 448127F3E183109FE3045A29DC8576AB7D5EF94720F2A453DEAC997380EA795C018786

Function 0003FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Ye[g, xrefs: 000400F6
BaBc, xrefs: 00040197

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 3d4c62fb6ac97924b56f9057e35687a4bf06fbd479e4ae891bed686b9ecd9cea
Instruction ID: 9343c7a5dc455deb0a96233b0c2e8902ff300d669f6b006cfe4c6f3942f487d2
Opcode Fuzzy Hash: 3d4c62fb6ac97924b56f9057e35687a4bf06fbd479e4ae891bed686b9ecd9cea
Instruction Fuzzy Hash: 3B51BDB16083818BD731CF14C885BABB7E0FF96314F19492DE4DAAB691E3749940CB5B

Function 000271F0 Relevance: 1.9, Strings: 1, Instructions: 657COMMON

Download Yara Rule

Strings

MZx, xrefs: 0002781B

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: MZx
API String ID: 0-2575928145
Opcode ID: 0ac120bf43bd10bcb8d63b8743637bef1a56d76398ef0470259e2c50ba16a2cf
Instruction ID: 4a42397c4e9b6fed37945fbfdf81e79ba9353af7ebfc25c68cf8d15f31911838
Opcode Fuzzy Hash: 0ac120bf43bd10bcb8d63b8743637bef1a56d76398ef0470259e2c50ba16a2cf
Instruction Fuzzy Hash: DB52B13150C3658FCB15CF28D0906AEBBE1BF88314F198A6DE89D5B352D774E989CB81

Function 000512D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 000515D1

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: d914bb298715df08f8fbad2e3e2b1986597b533958ef5fb926084abb31edce41
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: CDF12471A083414BC724CE28C491BBBBBE6AFC5355F1C896DEC9A87382D634DD49C792

Function 0004AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0004B2D3, 0004B2DB

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0cead404227ee1f2493f06bf382e9f70557943772fe546a16aab700f2c86f814
Instruction ID: 6c279854595e4bb9fe1055e0f6792632b30d5b34d0f81c47d9538082e2ede6bf
Opcode Fuzzy Hash: 0cead404227ee1f2493f06bf382e9f70557943772fe546a16aab700f2c86f814
Instruction Fuzzy Hash: 7CE1BDB1508306CBC324DF29C89056EB3F2FF99742F54892CE4C597261E335EA99CB86

Function 00036EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00036EF3

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 88728fcdaf31e9a530cfff7c11f0aa8c171ee5ae97cafb74fabb5685d5f7059b
Instruction ID: 6e5b64124408970636c7c966bcc138d807e0e7fc2bde841fcf0cbc1c4be353ad
Opcode Fuzzy Hash: 88728fcdaf31e9a530cfff7c11f0aa8c171ee5ae97cafb74fabb5685d5f7059b
Instruction Fuzzy Hash: BFF1ADB5A00A01DFD725DF24E881A26B3F6FF48314F148A2DE49787692EB75F815CB41

Function 00047E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00048263, 0004826B

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7c0d49cf77fdfcc857aa8b1a1a57107fa64ce26d5f7e9a5831f46168ed08b27f
Instruction ID: d1b6e5723925792129995f11f2a29b085596be8d516a4db48e308f96ee64ee71
Opcode Fuzzy Hash: 7c0d49cf77fdfcc857aa8b1a1a57107fa64ce26d5f7e9a5831f46168ed08b27f
Instruction Fuzzy Hash: 0DC1BEB1908200ABD710EB14D882A2FB7F5EF95754F088C29F8C997252E735ED45CBA7

Function 00048D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00049233, 0004923B

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: adfa26aa365e14d36d8f134287d97d2deeec3021aeb39a325eafe7387c58a9c9
Instruction ID: fc1c5df2a36f08c92473f0853fd50d12e8c8b09bd68bf62407e1010a03e6dc49
Opcode Fuzzy Hash: adfa26aa365e14d36d8f134287d97d2deeec3021aeb39a325eafe7387c58a9c9
Instruction Fuzzy Hash: EAD1ABB0A18302DFE714DF64DC90A6AB7E5FF88305F09897CE88A97251D739E990CB51

Function 00067FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00068167

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: ca48e98aaaea986f8ae5798c230931176ebae4fb4ff42e1a801ffa19ce38a6d0
Instruction ID: bf5d6fd1cc172a1b1cb77697f7d451724bcb73464ffff28bea3fc88af8a51d51
Opcode Fuzzy Hash: ca48e98aaaea986f8ae5798c230931176ebae4fb4ff42e1a801ffa19ce38a6d0
Instruction Fuzzy Hash: C3D1F5729082714FD725CE18D89072EB7E2EB85718F158A2CE9B5AB380CB75DC46C7C1

Function 0004CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0004CDC3, 0004CDCB

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 26fb16cffde58475ac6168d3c03bb43f86fc0a94157099509e795320c361ae7b
Instruction ID: f967c7bdbd1cd54c1f3b5787df2390403667bbfc764d0b0219e858f7e4953703
Opcode Fuzzy Hash: 26fb16cffde58475ac6168d3c03bb43f86fc0a94157099509e795320c361ae7b
Instruction Fuzzy Hash: BCB101B0A0A3018BE754DF14D881B2BBBF2EF85344F14493CE5C58B252E335D855CB9A

Function 0002A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 0002A9C3

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 7fd0e5e816d954c34d9910590a1e8e588317306e39e969eb66e08242672232f2
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: E4B138702083819FD321CF19D89061BFBE1AFAA704F448A2DF5D997742D671EA48CB97

Function 0005FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0005FCA4, 0005FCAD

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 099413bd7fbf75f21261f38bebd51f7150fced67ac188c3f255cd8c4211c9091
Instruction ID: 561430134e5eeefe27886720fed2ac987b94cc3c3d415d3fbf5401631e91a7eb
Opcode Fuzzy Hash: 099413bd7fbf75f21261f38bebd51f7150fced67ac188c3f255cd8c4211c9091
Instruction Fuzzy Hash: 3881BD70508201ABE714DF54ED85A2BB7F6FB89702F04883CF98997252D739D958CBA2

Function 0003D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0003D663, 0003D66B

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 0896a133b32ac77ede8d93ebf0ba996ac01aa36dd3be3bb203917962fba9cbfb
Instruction ID: 17cb16261a97d3867927c76338b908b03861ab3bf30c301951acf9d1bf71bf26
Opcode Fuzzy Hash: 0896a133b32ac77ede8d93ebf0ba996ac01aa36dd3be3bb203917962fba9cbfb
Instruction Fuzzy Hash: 0961F472908214DBE711EF18EC42A6A73F9FF94354F44052EF98997252E339D950C792

Function 00064A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00064C33, 00064C3B

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a3dd942d0d5e7fa17ba8a793646002115af77ec230c2533bd93b5e10126b509b
Instruction ID: 302a731eff42f3fed75ba6fd3d7138667154f334b2a2cebfea83d9dd89931d03
Opcode Fuzzy Hash: a3dd942d0d5e7fa17ba8a793646002115af77ec230c2533bd93b5e10126b509b
Instruction Fuzzy Hash: 3F61DD71A083019FE764DF69D880B2ABBE7EBC5325F18891CE58987391D772EC40CB52

Function 00130BF3 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

QN, xrefs: 00130C06

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: QN
API String ID: 0-2325529579
Opcode ID: 34daded40796e1b1937882e5543b2d2d34bb0a141870eba35a8d75ea9b06dbb0
Instruction ID: ddc3050a3228b818a16a69b3dfa2c5f2a901188cbddaedee23e0b018f1b3b5cf
Opcode Fuzzy Hash: 34daded40796e1b1937882e5543b2d2d34bb0a141870eba35a8d75ea9b06dbb0
Instruction Fuzzy Hash: 315116F3A1C2009FE308AE39EC5577AB7E5EB94320F16493DE6C6D7780DA3598418746

Function 00130BF3 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

QN, xrefs: 00130C06

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: QN
API String ID: 0-2325529579
Opcode ID: 34daded40796e1b1937882e5543b2d2d34bb0a141870eba35a8d75ea9b06dbb0
Instruction ID: ddc3050a3228b818a16a69b3dfa2c5f2a901188cbddaedee23e0b018f1b3b5cf
Opcode Fuzzy Hash: 34daded40796e1b1937882e5543b2d2d34bb0a141870eba35a8d75ea9b06dbb0
Instruction Fuzzy Hash: 315116F3A1C2009FE308AE39EC5577AB7E5EB94320F16493DE6C6D7780DA3598418746

Function 0015E0EA Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

vU[, xrefs: 0015E12D

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: vU[
API String ID: 0-1079391481
Opcode ID: f13ed649074fe925a304425fa1e9cf263382a5e0a75505d809114c39ca53e4a0
Instruction ID: f9fb8d1fcc352c01defd505395ba32f7dd610d70a89926588c5f8c76930cfd3a
Opcode Fuzzy Hash: f13ed649074fe925a304425fa1e9cf263382a5e0a75505d809114c39ca53e4a0
Instruction Fuzzy Hash: B1511AF3A0C6009FE3086E28DC5577ABBD6EBD4320F2A853DD695C3784E93958054796

Function 0015E0EA Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

vU[, xrefs: 0015E12D

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: vU[
API String ID: 0-1079391481
Opcode ID: f13ed649074fe925a304425fa1e9cf263382a5e0a75505d809114c39ca53e4a0
Instruction ID: f9fb8d1fcc352c01defd505395ba32f7dd610d70a89926588c5f8c76930cfd3a
Opcode Fuzzy Hash: f13ed649074fe925a304425fa1e9cf263382a5e0a75505d809114c39ca53e4a0
Instruction Fuzzy Hash: B1511AF3A0C6009FE3086E28DC5577ABBD6EBD4320F2A853DD695C3784E93958054796

Function 0002E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0002E333

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 0d3e826680c123144ee087f3d4fb07cd87269ff5157947a4f58fcfd57f9d6b40
Instruction ID: 505092bb89016c8f0848c67cc665ee7179cb0288e758f23ffdd6620f9519f2cf
Opcode Fuzzy Hash: 0d3e826680c123144ee087f3d4fb07cd87269ff5157947a4f58fcfd57f9d6b40
Instruction Fuzzy Hash: 18512A33B99AE08BE334C93DAC553AD6AC70BA2334B3DC769E9F6873E1D55948044390

Function 00063920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 000639E3, 000639EB

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 34f27798fb1f8347726da0de754a3fd5af6034df15d887e249b13ca2a0886e6e
Instruction ID: 21d8226c7658da21d303a468c10a0fc75cc9fe0cd9fe1de607e3fddbdbdb89f8
Opcode Fuzzy Hash: 34f27798fb1f8347726da0de754a3fd5af6034df15d887e249b13ca2a0886e6e
Instruction Fuzzy Hash: C851BE706092009BDB28DF54D880A2EBBF6FF85705F14881CE4CA97252C375DE10DBA3

Function 00154B4A Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

fNpn, xrefs: 00154C92

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: fNpn
API String ID: 0-3224953504
Opcode ID: 2e2da5f1217eeebe40bfc85a5ada77c9215bcf69da803af8157b2db548ac5528
Instruction ID: b38626dc9940a759e68731c7419b64fb49b99b548754d00c0100929c13c55391
Opcode Fuzzy Hash: 2e2da5f1217eeebe40bfc85a5ada77c9215bcf69da803af8157b2db548ac5528
Instruction Fuzzy Hash: CC41F5F3E081245BE304A97DDC447A7B7DA9BD4660F6A863DEA88D3384FC795C0142D5

Function 00154B4A Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

fNpn, xrefs: 00154C92

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: fNpn
API String ID: 0-3224953504
Opcode ID: 2e2da5f1217eeebe40bfc85a5ada77c9215bcf69da803af8157b2db548ac5528
Instruction ID: b38626dc9940a759e68731c7419b64fb49b99b548754d00c0100929c13c55391
Opcode Fuzzy Hash: 2e2da5f1217eeebe40bfc85a5ada77c9215bcf69da803af8157b2db548ac5528
Instruction Fuzzy Hash: CC41F5F3E081245BE304A97DDC447A7B7DA9BD4660F6A863DEA88D3384FC795C0142D5

Function 000DAA24 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

q`+8, xrefs: 000DAB9D

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: q`+8
API String ID: 0-3831666226
Opcode ID: a1b07a768fca923f0e3aff43b971bb4a73de238d94aa31ad5bf0ccfe19d1d095
Instruction ID: 00ac79a980b7c509c89e944e23e1e184a323ce3ca6eccd58ae5f964f9af052a3
Opcode Fuzzy Hash: a1b07a768fca923f0e3aff43b971bb4a73de238d94aa31ad5bf0ccfe19d1d095
Instruction Fuzzy Hash: 7B4129F35093049FE7047E29ED8577ABBE5EB64330F2A063DDAC083784E57558058697

Function 001028B6 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

a+ww, xrefs: 00102905

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: a+ww
API String ID: 0-953806293
Opcode ID: bd30c6f19a2c2af89068cf7fedb5de1c500a5871754f5690f3c1115faff81362
Instruction ID: 0481361cff07a72ab01cb4cdb99d514f8b3e02d615fedb5796f57dfd21e3e624
Opcode Fuzzy Hash: bd30c6f19a2c2af89068cf7fedb5de1c500a5871754f5690f3c1115faff81362
Instruction Fuzzy Hash: 694125F3E085009BE3189A2DDC4577ABBD6EFD0310F1B863DD6C8D3788D57899058686

Function 001028B6 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

a+ww, xrefs: 00102905

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID: a+ww
API String ID: 0-953806293
Opcode ID: bd30c6f19a2c2af89068cf7fedb5de1c500a5871754f5690f3c1115faff81362
Instruction ID: 0481361cff07a72ab01cb4cdb99d514f8b3e02d615fedb5796f57dfd21e3e624
Opcode Fuzzy Hash: bd30c6f19a2c2af89068cf7fedb5de1c500a5871754f5690f3c1115faff81362
Instruction Fuzzy Hash: 694125F3E085009BE3189A2DDC4577ABBD6EFD0310F1B863DD6C8D3788D57899058686

Function 00031BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00031C3E

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 9596ac4f479ec5532a2fb87fc1660615e433825339b035eecb16fb3a026cd60a
Instruction ID: 32e036bda6bbc163aae27d9d38e63c08c132473a3a845960c5e71fd695203525
Opcode Fuzzy Hash: 9596ac4f479ec5532a2fb87fc1660615e433825339b035eecb16fb3a026cd60a
Instruction Fuzzy Hash: 6A4181B40183809BC7019F24D894A6FBBF8FF8A314F04991CF5C99B291D73ACA05CB56

Function 0005FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00060033, 0006003B

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 54661c74c37b2773fcdd92c3c1ed9b7d97711a6e01bc4aa0f9cd11d90563345c
Instruction ID: 7a05f22cbf0ebd9e0cbe86382bd7b13bf7fc1ad18f77bafde6652e8b923b73ba
Opcode Fuzzy Hash: 54661c74c37b2773fcdd92c3c1ed9b7d97711a6e01bc4aa0f9cd11d90563345c
Instruction Fuzzy Hash: 613108B1A48315ABE610EA54DC81F2BB7EAEF85744F544828F885D7253E332DC14C7A3

Function 0004E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 0004E6A2

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 6bedae5f7d348b3ea126c70f299d5286aa3ded6955815a2a05c99efeb8859d28
Instruction ID: ec628037e677e98ab2a77ed941c28af12e896b394867b6a6c00a79eabad9aeb6
Opcode Fuzzy Hash: 6bedae5f7d348b3ea126c70f299d5286aa3ded6955815a2a05c99efeb8859d28
Instruction Fuzzy Hash: AB31D5B5D04245DFE720CF98E8809AFB7B4FB0A355F140428E54AA7342D339A945CBA6

Function 00036F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0003703B

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f7431a686d6d7a31b33b209df9bb2a6bceeecd9b1eefeae8a5b33aadfb6a8579
Instruction ID: 610bdeacb3bcec8225a264dc169f3ac7ef03832486f024bf6996b702c54ca24a
Opcode Fuzzy Hash: f7431a686d6d7a31b33b209df9bb2a6bceeecd9b1eefeae8a5b33aadfb6a8579
Instruction Fuzzy Hash: 8D4159B1604B04DBD73A8B61DD94B26B7F6FB09701F148818E58A9B6A2E376F800CB10

Function 0004E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 0004E6A2

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 048de2ccef4fcf9a937b8dec820e50d2f1c229d7ed234b1ad543e3ffc831a98c
Instruction ID: fd29425cbc818533367dca345d5c79ec933fd2adff09c3a8b0824a5bd7758e5e
Opcode Fuzzy Hash: 048de2ccef4fcf9a937b8dec820e50d2f1c229d7ed234b1ad543e3ffc831a98c
Instruction Fuzzy Hash: 5821E5B1904645DFD720CF98E8809AFBBF5FB0A744F14082CD546A7341C339AD41CBA6

Function 00069CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00069D30

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 04b9657ff0b57a1939c4147bf5177c6c2be25d386586e7f65890a7d7734b3fa0
Instruction ID: 09b565553ebfc23c2277789f0cd0c887e2c41ffb68619d666f8c1438de78c1a6
Opcode Fuzzy Hash: 04b9657ff0b57a1939c4147bf5177c6c2be25d386586e7f65890a7d7734b3fa0
Instruction Fuzzy Hash: AA3187709083009BD314EF14D880A2BFBFAFF9A359F14892CE5C8A7651D379D944CBA6

Function 00034E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d5737f1adc4b480fd0c6b244c5ba5a93e3ce716e6c4f09c279ab009e9359b7
Instruction ID: ea0841b887eeac0b2fb83c53c4538d04c42d8c23fabba094e72b42935359e461
Opcode Fuzzy Hash: f0d5737f1adc4b480fd0c6b244c5ba5a93e3ce716e6c4f09c279ab009e9359b7
Instruction Fuzzy Hash: F0627AB4500B008FD736CF24D995B27B7FAAF4A705F54892CD49A8BA62E735F804CB91

Function 0002BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 15c0bf2e32ec5aa4b191f01fa2b20f1a5c8b5e18005e92f508e6098595137161
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: AE5218319087318BD7659F18E8806BEB3E1FFC5319F298A2DD9C693281D734A855CB86

Function 00068652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ee8c9074d6e66c7aceb17baac1f8944c31fee19a3424c0d0e4722c64ab4f91
Instruction ID: e0d3cf334c13dc6147cb675115186b208e06aefe4dd4db0270614cbe39a8b2b9
Opcode Fuzzy Hash: d7ee8c9074d6e66c7aceb17baac1f8944c31fee19a3424c0d0e4722c64ab4f91
Instruction Fuzzy Hash: 2322ED35A0C341CFE704EF68E89062AB7E2FF8A315F49896DE58997351C739D990CB42

Function 000686F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc39a424bc332c538d8289ef99b5922c5c9a1e320882f27b0b729dd3053d211
Instruction ID: ae0f046a6ae988619a5e280d6b194feef7f6d63fbb3b88fffae3ca2231ed7ea9
Opcode Fuzzy Hash: 9dc39a424bc332c538d8289ef99b5922c5c9a1e320882f27b0b729dd3053d211
Instruction Fuzzy Hash: 4422BC35A0C340DFD704EF68E89061ABBE6FB8A305F49896DE58997352C739D990CB42

Function 0002B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1817b5c4d38560a853120b3a8fc9228f8a0a8fab58061a6802527d1bdbcd227c
Instruction ID: d6737ebdf42f4b2e33e6b7a31a7f0c32f2c3c13c6feff8d77acc1fb76da54dd2
Opcode Fuzzy Hash: 1817b5c4d38560a853120b3a8fc9228f8a0a8fab58061a6802527d1bdbcd227c
Instruction Fuzzy Hash: 6152E770908BA48FE775CB24D4847A7BBE2EF91314F144C2EC5E60BB82D779A885CB51

Function 00028FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1216a0e8ac6d1b22054de5508a66f14bccf94a19848737f0aef1e89b539e259
Instruction ID: a75f56dd5d8fc902fb7f2fc16a41856a28a42a3324801eb3bfc41e5383cc0a05
Opcode Fuzzy Hash: e1216a0e8ac6d1b22054de5508a66f14bccf94a19848737f0aef1e89b539e259
Instruction Fuzzy Hash: A5427879608341DFE704CF28E85475ABBE2BF88315F09886DE8858B391D779D985CF82

Function 00027BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24318ba5d6bae7d1d3483ef0481db69ad0a9ea093ca4b51eff9f97b1e4e02b6
Instruction ID: f502d099e82aedfe07e3af1e30bc1bdb1964a2f24a0c8870901beb6482b09e37
Opcode Fuzzy Hash: a24318ba5d6bae7d1d3483ef0481db69ad0a9ea093ca4b51eff9f97b1e4e02b6
Instruction Fuzzy Hash: 3C320274519B218FC3B8CE29D59052AB7F1BF45710BA08A2ED69B87F90D736B845CB10

Function 000689A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f981d849679d8e3d920aaf6079df4475d124bf428aa31b2a30dc37b8775cdb2a
Instruction ID: a9346d717092a52f9869391a5dbb49a17f16bc76b2811a18544169cec0f67124
Opcode Fuzzy Hash: f981d849679d8e3d920aaf6079df4475d124bf428aa31b2a30dc37b8775cdb2a
Instruction Fuzzy Hash: D402BC30608341DFD704DF68E88061ABBE6EF8A305F49896DE5C997362C739D950CB92

Function 00068A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c819bf7167b38637bf2de20c866f06fbe060d8f403c21616de1e12cac784a412
Instruction ID: b1471ac17f7352b7a70a5f07b3d5b7910da5053ed6d67bf03ed9434f664e9fbf
Opcode Fuzzy Hash: c819bf7167b38637bf2de20c866f06fbe060d8f403c21616de1e12cac784a412
Instruction Fuzzy Hash: BDF19A30A0C340DFD704EF28D88061EFBE6EB8A305F49892DE5C997252D73AD951CB92

Function 00068C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d66ec0fd4fd2ac4cde1d43ef631e20615d52d7d381d306f08e3cb2e252d8c0
Instruction ID: c8fb5e5d93b357de909e0c5e85afebb49a8696f9430409d9fc2ffd2765c4630e
Opcode Fuzzy Hash: f6d66ec0fd4fd2ac4cde1d43ef631e20615d52d7d381d306f08e3cb2e252d8c0
Instruction Fuzzy Hash: 8AE1BE31A08341CFD704DF28D88062AF7E6EB8A315F49896CE5C997352D73AE951CB92

Function 0002A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: 7f4586f3d8032fe2e5cf394245850125c5a3dbf4842210ab525efa572bc57f84
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: 8BF1CE756087418FD724CF29C881B6BFBE2AFD9304F08882DE4C587751EA39E945CB92

Function 00068E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936fa1545ad8384ece8781962583cedc15ff2fab26948c70c87e6eec46a3d485
Instruction ID: 6ccad6a21eec658acede9f0100061d0e32c42c3a58e0f665fb85f8460bb064ca
Opcode Fuzzy Hash: 936fa1545ad8384ece8781962583cedc15ff2fab26948c70c87e6eec46a3d485
Instruction Fuzzy Hash: 87D1BD3060C240DFE704EF28D89062EFBF6EB8A305F49896CE4C997252D73AD951CB52

Function 00034487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97399964454c644a0a90ebf64440666ab0dd0914e2c74cfe3cc9fb9b8d12bb25
Instruction ID: 6bb03f5c31b4613466c2815638b15bdf8a9c501cd6a0c00f625b1a4c2b75e5d0
Opcode Fuzzy Hash: 97399964454c644a0a90ebf64440666ab0dd0914e2c74cfe3cc9fb9b8d12bb25
Instruction Fuzzy Hash: E2E10FB5601B008FD365CF28E992BA7B7E5FF06704F04886CE4AACB752E775B8148B54

Function 00066CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a12a8c6e281e41c7532b7f46021c7dc2622a42572aaeccd54148f29bef0645
Instruction ID: 904d756d479dfa6b0ec7afc63670b50fe3eac45226db83e019d0b17b8a6f2cff
Opcode Fuzzy Hash: 28a12a8c6e281e41c7532b7f46021c7dc2622a42572aaeccd54148f29bef0645
Instruction Fuzzy Hash: 9BD10236A1C355CFE715CF38E88055AB7E2BB89314F098A6CE499D7391D339DA80CB81

Function 00067AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602162248b0001c367fd3037e7a9255e900a30cda2e7a69bad193f95e86e7e2d
Instruction ID: a31f4d4c2683e3dc9a5686a1cec4766470613617c8bb56463a50f277dd2ec25c
Opcode Fuzzy Hash: 602162248b0001c367fd3037e7a9255e900a30cda2e7a69bad193f95e86e7e2d
Instruction Fuzzy Hash: D5B1F572A0C3504BE324DA28CC45B6FB7E6AFC8318F08496DE99D97392E735DD048792

Function 0002AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: ac8d36ed01fccd3d1f02771fb6fc797c3307f0825bac9e4d59820f07f8037428
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: CCC168B2A087518FC370CF68DC96BABB7E1BF85318F08492DD1D9C6242E778A155CB46

Function 00036536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a1eb06bd73faa21a6b8ad3d025d5ba373fbd603f18c236868e0845415b2759
Instruction ID: dd84e2b3a3859ee17853af87fabe322b19c73701e633c3061adc94ad0869030f
Opcode Fuzzy Hash: 81a1eb06bd73faa21a6b8ad3d025d5ba373fbd603f18c236868e0845415b2759
Instruction Fuzzy Hash: D5B122B4500B009FD322CF24D985B67BBF5AF4A704F14885CE8AA8BB52E776F805CB54

Function 00067710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4203f10dedff15b7ea915c8406b988868416b96687ed1426c63c6ec561240f7a
Instruction ID: 47407401e62cf4188feaf187f2f9a0dd441009f60ad08e93ef76cdf52f11ffd3
Opcode Fuzzy Hash: 4203f10dedff15b7ea915c8406b988868416b96687ed1426c63c6ec561240f7a
Instruction Fuzzy Hash: 8991BF71A0C301ABE724CB14DC40BAFB7E6EB85359F54881CF59997352E730E940CBA2

Function 0006A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d9fbb9a869cd403b28ad6a4f1338827e5ed1ae350958440ba2af84fb44615b
Instruction ID: 31edf59d58a7680c133fdedd0b85bedbdc841a1c00df79dd7781231afd718a9e
Opcode Fuzzy Hash: 76d9fbb9a869cd403b28ad6a4f1338827e5ed1ae350958440ba2af84fb44615b
Instruction Fuzzy Hash: 25818E346087018BD724EF28D890A2EB7F6FF4A740F45892CE585AB351E735ED50CB92

Function 0008547B Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769ac7f48117c14900ad6988bea8b2325a862f4ff7bef3d3af14e6b9777f448e
Instruction ID: 0277a2bd3d748c64188186878a7d742076635446436c7415e3e5e84e6a890dc0
Opcode Fuzzy Hash: 769ac7f48117c14900ad6988bea8b2325a862f4ff7bef3d3af14e6b9777f448e
Instruction Fuzzy Hash: 339159F3F116250BF3544834DCA83A26583A7E5324F2F82788E9D6B7C6E87E4D491284

Function 000564F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b310eadb82017a7c76ca9295b9735fcc46cc3ed4f7a64d23145df8365a0f63c5
Instruction ID: 0e9a4394b616899dc42bd4dbd36f116b2237a91e140210d491ce867207b19831
Opcode Fuzzy Hash: b310eadb82017a7c76ca9295b9735fcc46cc3ed4f7a64d23145df8365a0f63c5
Instruction Fuzzy Hash: 4471F833B69E904BD3248D7C4C453AAAA834BD6334F7DC379EDB48B3E5D56A480A4340

Function 000428E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa49601d30ef2299b255ad72db207990fcabf458111a46da665b076294eedf63
Instruction ID: 2f8760ce658926fd349f4bfcd3ef66511d26b362d49c421a22b327bb74e9f3d7
Opcode Fuzzy Hash: aa49601d30ef2299b255ad72db207990fcabf458111a46da665b076294eedf63
Instruction Fuzzy Hash: A06178B45083509BD310AF14E851A2ABBF0FF96754F44492CF4C59B262E379D910CB6B

Function 00047C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b12f713a11600ecaa3390bec7f3807d06561de4276b6fe2211d02fbb2bf47c5
Instruction ID: fa9972fa1614a892b2baf9df1430fdab9ca7bb4e5950dc098ab9c5166cf66188
Opcode Fuzzy Hash: 4b12f713a11600ecaa3390bec7f3807d06561de4276b6fe2211d02fbb2bf47c5
Instruction Fuzzy Hash: E55190F1A18204ABDB209B24CC96FB733B4EF85758F144968FA898B291F375D805C766

Function 00051860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: c6e9a6dc0e233163d4903bb191fe5a0ea3731b76c963954bf667c5c05236bd61
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 1761FE3160D301ABD765CE28C5807AFBBE2EBC5352F68C92DF8998B351D670DC899742

Function 000582D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc90c909e86c399dc2eb7fa580b2e37641c7f38015ad25ea1e1fff2144c50f4
Instruction ID: d1629616423e72da908837d585f4bcdb30f0a44b74b0ae23d776d81715a7fc8f
Opcode Fuzzy Hash: 7cc90c909e86c399dc2eb7fa580b2e37641c7f38015ad25ea1e1fff2144c50f4
Instruction Fuzzy Hash: 31614733B1A9904BE324453D5C463AB6A831BD2331F3EC366DDF2AB3E4DDA949098341

Function 0011A8B7 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac482ccfdd2273eb30a884c8d8e7e01021c48c4d06478c2e412b2b1bf975d87d
Instruction ID: f049cedd39b6cb2b448613188b70e49f3e12a80fa87bf0c26cf34f7c931a4747
Opcode Fuzzy Hash: ac482ccfdd2273eb30a884c8d8e7e01021c48c4d06478c2e412b2b1bf975d87d
Instruction Fuzzy Hash: 9D5168F7A182005FE3049D3DDC9973AB7DAEBD4320F2A853DDA84C7748E87998068256

Function 0011A8B7 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac482ccfdd2273eb30a884c8d8e7e01021c48c4d06478c2e412b2b1bf975d87d
Instruction ID: f049cedd39b6cb2b448613188b70e49f3e12a80fa87bf0c26cf34f7c931a4747
Opcode Fuzzy Hash: ac482ccfdd2273eb30a884c8d8e7e01021c48c4d06478c2e412b2b1bf975d87d
Instruction Fuzzy Hash: 9D5168F7A182005FE3049D3DDC9973AB7DAEBD4320F2A853DDA84C7748E87998068256

Function 000342FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6770ae97edf091dc53a518a707b1f33892b51fc2ab7a29c78d4cae2b9e52b142
Instruction ID: 25f3b230234d4b5594c176acc492b991d6941cc7102ff16aa24299fb89763d5f
Opcode Fuzzy Hash: 6770ae97edf091dc53a518a707b1f33892b51fc2ab7a29c78d4cae2b9e52b142
Instruction Fuzzy Hash: 1581FFB4810B00AFD360EF38D947797BEF4AB06301F504A1DE8EA96695E7306459CBE3

Function 001180BF Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbc63d255a5de2e69bfc1094f274b4a9c4d6bb763b0fc57591d6d2406d85534
Instruction ID: 7ad94945f1a9c9a673be9dfb6ffb65a0cf2ff6095d10a9f5114d3bb37f168f8b
Opcode Fuzzy Hash: dfbc63d255a5de2e69bfc1094f274b4a9c4d6bb763b0fc57591d6d2406d85534
Instruction Fuzzy Hash: D95157F3A186005FF3085E29DC9573AB7D6EBD4320F1F853DDA89C7784E97A98064681

Function 001180BF Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbc63d255a5de2e69bfc1094f274b4a9c4d6bb763b0fc57591d6d2406d85534
Instruction ID: 7ad94945f1a9c9a673be9dfb6ffb65a0cf2ff6095d10a9f5114d3bb37f168f8b
Opcode Fuzzy Hash: dfbc63d255a5de2e69bfc1094f274b4a9c4d6bb763b0fc57591d6d2406d85534
Instruction Fuzzy Hash: D95157F3A186005FF3085E29DC9573AB7D6EBD4320F1F853DDA89C7784E97A98064681

Function 0005E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: fc60cd4f23a90c73b5e2ef0b325d4ba53855a5310ec7d7506fed63fea9798717
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 90515DB16087548FE314DF69D49435BBBE1BBC5318F044E2DE4E987391E779DA088B82

Function 000DE844 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6596f1feaa678aedbd3f13b6eda199e74b8f958bfebdde42e66b13c3e094de97
Instruction ID: 163a600c39a1faee9306465f6bb1806f68b468f9869c52cb056a7824b1187467
Opcode Fuzzy Hash: 6596f1feaa678aedbd3f13b6eda199e74b8f958bfebdde42e66b13c3e094de97
Instruction Fuzzy Hash: 895108F3F082045BF308692DED867AAB7DADB94320F1E453DEB85D3781E9796C054286

Function 000DE844 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6596f1feaa678aedbd3f13b6eda199e74b8f958bfebdde42e66b13c3e094de97
Instruction ID: 163a600c39a1faee9306465f6bb1806f68b468f9869c52cb056a7824b1187467
Opcode Fuzzy Hash: 6596f1feaa678aedbd3f13b6eda199e74b8f958bfebdde42e66b13c3e094de97
Instruction Fuzzy Hash: 895108F3F082045BF308692DED867AAB7DADB94320F1E453DEB85D3781E9796C054286

Function 00067520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c815afc75589043417d47ce30e238daa6ef84b175a7b56ea8222d2524a4ee9e
Instruction ID: 60aa5d72a7ccff57760fc5f12138d094d1e4fbb35c44fd9e6147873d3943940f
Opcode Fuzzy Hash: 2c815afc75589043417d47ce30e238daa6ef84b175a7b56ea8222d2524a4ee9e
Instruction Fuzzy Hash: 7851037160C600ABD7199E18DC90B2EB7E7FB85319F288A2CF9D997391D635AC10C791

Function 000A6BE3 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034ebd8a51988a7810d2440a25e0f6fdbfcd305022d70c058f37d122b33666bb
Instruction ID: a0258326624a1ddd9f965daef7dac216de7b3ea8d2d06d90a6cd4f08d4199a74
Opcode Fuzzy Hash: 034ebd8a51988a7810d2440a25e0f6fdbfcd305022d70c058f37d122b33666bb
Instruction Fuzzy Hash: 6C517AF3A086045BE7086E2ECC9576BB792EBD4310F1A863DCBD5473C1EA3928018686

Function 000A6BE3 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.2274473921.0000000000080000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034ebd8a51988a7810d2440a25e0f6fdbfcd305022d70c058f37d122b33666bb
Instruction ID: a0258326624a1ddd9f965daef7dac216de7b3ea8d2d06d90a6cd4f08d4199a74
Opcode Fuzzy Hash: 034ebd8a51988a7810d2440a25e0f6fdbfcd305022d70c058f37d122b33666bb
Instruction Fuzzy Hash: 6C517AF3A086045BE7086E2ECC9576BB792EBD4310F1A863DCBD5473C1EA3928018686

Function 00025A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058a7dae0bdfeecf23cae7ba21435956148544908f58bbdde521d3ce11d635ee
Instruction ID: 04e9597cfb020d93d55383c767b6734cbb4c7432fdc24414bc30942982058e23
Opcode Fuzzy Hash: 058a7dae0bdfeecf23cae7ba21435956148544908f58bbdde521d3ce11d635ee
Instruction Fuzzy Hash: 8751D375A047249FC714DF14E88192AB7E1FF89329F1586ACE8958B352D730EC42CB96

Function 0004EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe69ec0a52c26ca1c68368250ae002a2b207ea0fba1296de6057e8970cb3c3ee
Instruction ID: ac0699f901457dd7dc5c72c1ed0267907b7180f5cc0afcfdfb70785858ae8e5f
Opcode Fuzzy Hash: fe69ec0a52c26ca1c68368250ae002a2b207ea0fba1296de6057e8970cb3c3ee
Instruction Fuzzy Hash: C741ADB4D00365DBDF208F94DC91BA9B7B1FF0A300F140558E945AB2A1EB38A951CB95

Function 00069B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcd6340b0657f6de8bcfa32970b5e29339d84c0f1dff004218e961b24f95d82
Instruction ID: 88df6fe3a16282b93914de08dd0fe59dc28e255fd13cf93fb18d4c1e3265fda0
Opcode Fuzzy Hash: ebcd6340b0657f6de8bcfa32970b5e29339d84c0f1dff004218e961b24f95d82
Instruction Fuzzy Hash: B641AE34608300ABE754DB14DD90B2EB7FBEB85721F14882CF58997652D375E800CB62

Function 00032030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e122a6531a75054d11f2153f3c328441d252bc6d6bf500ff064689fe3e922dcd
Instruction ID: 93521aa31b7de0f6ecf412a59b57688eec611971b8ddcccb81fd4843ac023c8c
Opcode Fuzzy Hash: e122a6531a75054d11f2153f3c328441d252bc6d6bf500ff064689fe3e922dcd
Instruction Fuzzy Hash: E1410732A083654FD35DCE29849063ABBE2AFC4300F09863EE4D6873D1DAB48945D781

Function 00031E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7422028d5eebf712eb1845390c9f6e991794282b2e80f564c21eff5c3826fd9d
Instruction ID: 6f685f688c43dd7c99278ad80ad38e26c041e1465ef426b7fd0e390ee04db6ec
Opcode Fuzzy Hash: 7422028d5eebf712eb1845390c9f6e991794282b2e80f564c21eff5c3826fd9d
Instruction Fuzzy Hash: 6B41D1745083809BD321AB59D888B2EFBF9FB8A745F14491CF6C497292C37AD8148F66

Function 00068D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d91ba4f3e2d2433d53f41625b1426db588ef5ddb142c64f87e62831a72f7f9
Instruction ID: 5099906c5fdbf157050a7ce575774c968a2c6fee013e050d434b5c4ad3dabf3c
Opcode Fuzzy Hash: 33d91ba4f3e2d2433d53f41625b1426db588ef5ddb142c64f87e62831a72f7f9
Instruction Fuzzy Hash: 9741B03160D2508FC714EF68C49052EFBE6AF9A310F198B2DD4D5E72A2DB75DD018B92

Function 0003D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48129006f273557e2c3b0ada89bad57eb0bd31ed9bf1c224aa55d19cc27f1d15
Instruction ID: 5324d29fc3aef9ae495be3c9dd6c1402dcc5bb65615d2a6632ca0de6b0083d71
Opcode Fuzzy Hash: 48129006f273557e2c3b0ada89bad57eb0bd31ed9bf1c224aa55d19cc27f1d15
Instruction Fuzzy Hash: DE41CEB1648381CBE3309F14E841BAFB7B4FF96364F04095AE48A8B752E7784840CB93

Function 0005F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 226a3ed0c8ec21e042eddd6fb7dcc15b5cd9c5583e463235c8c22628d8d3ee1b
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 572137329082254BC3249B59C48053BF7E8EB99705F0A963EDDC4A7295E339DC1887E1

Function 000667EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74eb35bbac79ba4f7d8d3894fe3fec813bd4581c4d37b9bcf92627b47743ee16
Instruction ID: 475b6089db1bf4816195ae3385405554668c199ea32f87f3160dfaf37f4b8d4b
Opcode Fuzzy Hash: 74eb35bbac79ba4f7d8d3894fe3fec813bd4581c4d37b9bcf92627b47743ee16
Instruction Fuzzy Hash: 1E3134705183829AE714CF14C49066FBBF1EF96388F50590CF4C8AB262D739DA85CB9A

Function 00045E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa3922f1aaf72c497f45f74dffad55a1759b7d141445c11056f76b462d59ac8
Instruction ID: a43b907bab02b7e13a17b6c18d9d4a04e53e2d931a36971111ded8e0acc0509e
Opcode Fuzzy Hash: efa3922f1aaf72c497f45f74dffad55a1759b7d141445c11056f76b462d59ac8
Instruction Fuzzy Hash: 0521A1B05086019BD310AF18C84196BB7F4EF92766F448928F4D99B293E334C904CBA7

Function 000249A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 47ecc820e49270822cf2ec68ecfcd02e4dc5006b750b69b2af743a38153aad4c
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: C931F9316482209FD750DE18F881A2BB7E1EFC8358F18892DE89ACB241D335DC42CB87

Function 000664B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7956a8c02700900468d44ed1253183ddd829f99cc17ff258f370def50452851
Instruction ID: 3b3c5e1e6c7710211804a1b846a3e9f23646eac947a1c826d79cffac347f1e25
Opcode Fuzzy Hash: c7956a8c02700900468d44ed1253183ddd829f99cc17ff258f370def50452851
Instruction Fuzzy Hash: 19215C7090C240DBD708EF19D990A2EFBF6FB95745F18881CE4C993361CB3AA850CB62

Function 00030EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac07623e804c4e465ac07a8f6994448de584a3ee2ea73204c6742d38002b36e5
Instruction ID: 207783d4164dcc433956b7ee9439879038eb1148cee8232f1f879794387e2889
Opcode Fuzzy Hash: ac07623e804c4e465ac07a8f6994448de584a3ee2ea73204c6742d38002b36e5
Instruction Fuzzy Hash: 732139B490121A9FEB15CF94CCA0BBEBBB6FB4A304F144858E411BB292C735A901CB64

Function 0005B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 3b416f81d84c3441231b5fad3c472901f78caf330c1f3491aafd8651b413a4e7
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E911A933B051D44EC3168D3C844056ABFE31BA3636B594399F8B49B2D2D7269D8E8355

Function 00050B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: c1c3c2ea49dc8e2584e62e00334e5cda03b4cbecde1b42f5027d7f4492f7351f
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 6B0171F5A0030247F7609E54E4D1B7FB2E86F8571DF18452CED0657202DB75EC09C692

Function 0004D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14aaeca92e3d24e9ca1df5be88a53682462e9bafa2d5f84359cfdb0c70638fc
Instruction ID: 1a7b9975f9b3274fa3e0273799b4c6d81f9938960248ca40b0ad17beb3a1ffda
Opcode Fuzzy Hash: e14aaeca92e3d24e9ca1df5be88a53682462e9bafa2d5f84359cfdb0c70638fc
Instruction Fuzzy Hash: 3E11ECB0408380AFD310AF618584A2FFBE5EBA6714F148C1DF6A49B251C379E819CF56

Function 00026EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063d2ef5968380fe794ba418bc610db1fe8edac1920fc076e64096adb978c583
Instruction ID: d03da000af1d39219b390c9a7e9ba9d265f57d0134cf5c0c1833411b619b1cff
Opcode Fuzzy Hash: 063d2ef5968380fe794ba418bc610db1fe8edac1920fc076e64096adb978c583
Instruction Fuzzy Hash: D8F0243B71822A0BA660CDAAB88083BB3D6D7C9364B041538EA40C3206CDB2E8028190

Function 0005B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 0003C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 0003B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 48227f2ad21e50e01b96d24e204f98b3ff7432f69f82e53f77e05d8727974729
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 71F0ECB1A0451057DF33CA549CC4F77BBDCCB87358F190427E98557103D2615845C3E9

Function 00058220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697d20713677ce2d8ca381617fa5363bd1324dde9c4a7376e01664e0b939632c
Instruction ID: 10845aee9455733aa0936732aed118159c69f17d0f4821d42bc099e1f67c3665
Opcode Fuzzy Hash: 697d20713677ce2d8ca381617fa5363bd1324dde9c4a7376e01664e0b939632c
Instruction Fuzzy Hash: 9901E4B04147009FD360EF29C445B57BBE8EB08714F404A1DE8EECB680D774A5448B82

Function 00061440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 7f825e1aa2b5c7a5efb169c0173b903514a5afd364ea82f430e095199848ea2a
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: B5D0A731608321479FB48E19A4109B7F7F1EBC7B51F4D955EF586E3148D630DC41C2A9

Function 00031ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e8f21483b3f311ed3559b3763fb877598cdf393d6d5091a4be20cd78556e9c
Instruction ID: 36d72ea7c07f5566acc6172811bb16080e37206e9fa96fa399a7616070f52f45
Opcode Fuzzy Hash: 01e8f21483b3f311ed3559b3763fb877598cdf393d6d5091a4be20cd78556e9c
Instruction Fuzzy Hash: 96C08C34A18002CBE204CF01FC99536B3FDA30B309B00703ADA03F3A31CFA8C402990A

Function 00066094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27444d83acc980139c27a1862383330337ec3446c473fe523cda82f58a47f472
Instruction ID: 6ebf66e69c149ca661926a753d9fb19f3df038b60d3678ae3549769040dd6845
Opcode Fuzzy Hash: 27444d83acc980139c27a1862383330337ec3446c473fe523cda82f58a47f472
Instruction Fuzzy Hash: 0EC04C34A5C04086F108CF049951475E2769B97615A24B119C94A33256C22CD552A51C

Function 00031A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1324c1bca00bb567ad11ec80f8286a4ae847c65a3262dee8c62fb6f994fc2d43
Instruction ID: 0f2f038efdcd855012d9d8a60c6811576080ea52566273bf70277cc92ccdf17d
Opcode Fuzzy Hash: 1324c1bca00bb567ad11ec80f8286a4ae847c65a3262dee8c62fb6f994fc2d43
Instruction Fuzzy Hash: 33C09B35A5D041CBD244CF86FCD1571A3FD9307209B10303AD703F7661C9A4D4058509

Function 00065FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2322339931.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true

Associated: 00000001.00000002.2322310037.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000080000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.00000000002F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000329000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322380076.0000000000339000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322672573.000000000033A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322804590.00000000004DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2322825810.00000000004E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc552daf440513331bfd487b01400382a2dd849aa703f000855b9c60ed1ff65c
Instruction ID: 26cce213f328508c497354b28efbade588d3c12bd7276a9a1e6403bd8386b791
Opcode Fuzzy Hash: bc552daf440513331bfd487b01400382a2dd849aa703f000855b9c60ed1ff65c
Instruction Fuzzy Hash: 82C09224F680808BF24CCF18DD51935F2BA9B8BA18B14B02DC94AB3257D23CD552960C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
file.exe

Function 000650FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 0002FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 0002D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00065700 Relevance: 1.6, APIs: 1, Instructions: 69
memoryCOMMON

Function 00065BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0006695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 0003049B Relevance: .3, Instructions: 264
COMMON

Function 00063220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00063202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON